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Foreword 



The papers in this volume were presented at the CRYPTO '88 confer- 
ence on theory and applications of cryptography, held August 21-25. 1988 
in Santa Barbara, California. The conference was sponsored by the Inter- 
national Association for Cryptologic Research (IACR) and hosted by the 
computer science department at the University of California at Santa Bar- 
bara. 

The 44 papers presented here comprise: 35 papers selected from 61 ex- 
tended abstracts submitted in response to the call for papers, 1 invited pre- 
sentations, and 6 papers selected from a large number of informal rump 
session presentations. 

The papers were chosen by the program committee on the basis of the 
perceived originality, quality and relevance to the field of cryptography of the 
extended abstracts submitted. The submissions were not otherwise refereed, 
and often represent preliminary reports on continuing research. 

It is a pleasure to thank many colleagues. Harold Fredricksen single- 
handedly made CRYPTO '88 a successful reality. Eric Bach, Paul Barret, 
Tom Berson, Gilles Brassard, Oded Goldreich, Andrew Odlyzko. Charles 
RackoiT and Ron Rivest did excellent work on the program committee in 
putting the technical program together, assisted by kind outside reviewers. 

Dawn Crowel at MIT did a super job in publicizing the conference and 
coordinating the activities of the committee, and Deborah Grupp has been 
most helpful in the production of this volume. Special thanks are due to Joe 
Kilian whose humor while assisting me to divide the papers into sessions was 
indispensable. 

Finally, I wish to thank the authors who submitted papers for consider- 
ation and the attendants of CRYPTO '88 for their continuing support. 
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Cambridge, MA 
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Weakening Security Assumptions 
and Oblivious Transfer 

(Abstract) 

Claude Crepeau* Joe Kilian 1 

Department of Computer Science Mathematics Department 
MIT MIT 



1 Introduction 

Our work is motivated by a recent trend in cryptographic research. Protocol problems 
that have previously been solved subject to intractability assumptions are now being 
solved without these assumptions. Examples of this trend include a new completeness 
theorem for multiparty protocols[BGW,CCD], and a protocol for byzantine agreement 
using private channels[FM]. These breakthroughs illustrate both the strengths and 
the weaknesses of using the cryptographic model. Devising first a protocol that 
uses cryptographic assumptions can give powerful intuition that later allows one to 
create a protocol that works without assumptions. However, there is a danger that 
the cryptographic assumptions one uses can become inextricably bound up in the 
protocol. It may take years before these assumptions can be ironed out of the final 
protocol. 

One way to keep a firm grasp on ones cryptographic assumptions is to compart- 
mentalize them into a small set of relatively simple primitives. One then attempts to 
build protocols on top of these primitives, without using any cryptographic assump- 
tions in the high level design. The problem of eliminating cryptographic assumptions 
from the protocol is then reduced to that of implementing the primitives without 
cryptography. 

In this abstract, we explore a particularly useful set of primitives, known as obliv- 
ious transfers. First introduced by Rabin, oblivious transfer protocols are games in 
which one player, Sam(the sender), can impart some information to another player, 
Rachel(the receiver), without knowing precisely what information he has imparted. 

'Supported in part by an NSERC Postgraduate Scholarship. Some of this research was performed 
while visiting Bell Communication Research. 

^Research supported in part by a Fannie and John Hertz foundation fellowship, and NSF grant 
865727-DCR. Some of this research was performed while visiting Bell Communication Research. 
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Oblivious transfers come in a wide variety of flavors, and are not obviously reducible 
to each other. Following the work of Brassard, Crepeau, Robert [BCR], and Cre- 
peau[C], we develop techniques for establishing equivalences between a wide variety 
of oblivious transfers. 

We also investigate the properties of an ordinary noisy channel. By a noisy chan- 
nel, we mean a communication line in which a transmitted bit is nipped with a certain 
fixed probability. This model has been extensively studied in coding theory, but rela- 
tively little was previously known about its cryptographic capabilities. We show that 
a noisy channel can be used to implement two-party cryptographic protocol without 
any intractability assumptions. In the forthcoming [CK] we also study a transfer 
mechanism we refer to as quantum transfer. This mechanism abstractly models a 
transfer mechanism based on quantum mechanics. 

Weaker variants of two of the more standard forms of oblivious transfer are also 
studied. We investigate scenarios in which the security properties guarenteed by these 
mechanisms may be almost completely violated. We show that in many of these 
scenarios, it is still possible to achieve the full power of ordinary oblivious transfer. 

The purpose of this abstract is to introduce the reader to the terminology and 
the statement of our results. To get the actual reductions and more detail on the 
application of the techniques described in this abstract, the reader should consult 
[CK]. 

Main Results 

Our results may be summarized as follows. Before reading these theorems, we refer 
the reader to Section 2 of the paper, which provides the necessary terminology. 

Theorem 1: a- 1-2 slightly oblivious transfer is as powerful as 1-2 oblivious transfer. 

Theorem 2: Noisy transfer is as powerful as 1-2 oblivious transfer. 

Theorem 3: a-slightly oblivious transfer is as powerful as 1-2 oblivious transfer. 

2 Definitions 

In this section, we describe the various forms of information transfer mechanisms we 
will be considering. We define the two standard mechanisms, two weakened versions 
of the standard forms of oblivious transfer, and our nonstandard transfer mechanism. 

2.1 Standard forms of oblivious transfer 

There are two standard forms of oblivious transfer. We refer to these mechanisms as 
oblivious transfer and 1-2 oblivious transfer. 
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Oblivious Transfer: In this protocol, Sam has a secret bit, b. At the end of the 
protocol, one of the following two events occurs, each with probability | . 

1. Rachel learns the value of b. 

2. Rachel gains no further information about the value of 6 (other than what 
Rachel knew before the protocol). 

At the end of the protocol, Rachel knows which of these two events actually occurred, 
and Sam learns nothing. 

Less formally, we can view this protocol as one in which Sam sends a letter to 
Rachel, which arrives exactly half the time. 

1-2 Oblivious Transfer: In this protocol, Sam has two secret bits, 6 0 and b 1 . Rachel 
has a selection bit, s. At the end of the protocol, the following three conditions hold. 

1. Rachel learns the value of b s . 

2. Rachel gains no further information about the value of 

3. Sam learns nothing about the value of s. 

Less formally, Sam has two secrets. Rachel can select exactly one of them, and Sam 
doesn't know which secret Rachel selected. 

Dirtier Notions of Oblivious Transfer 

In describing oblivious transfers, we make two distinct specifications. First, we 
specify what information is being transferred. Second, we impose a set of security 
conditions, specifying what information each party is guaranteed not to know at the 
end of the protocol, and specifying that certain events cannot be controlled by either 
party. The definitions of oblivious transfer and 1-2 oblivious transfer are particularly 
stringent in their security conditions. In oblivious transfer, Sam has no control over 
whether Rachel receives b. In 1-2 oblivious transfer, Sam gains no information about 
Rachel's selection s. We would like to be able to handle cases in which a malicious 
Sam can, thorough some form of cheating, violate these security conditions. This 
motivates the following definitions. 

a-Slightly Oblivious Transfer: This protocol is the same as oblivious transfer, 
except that instead of Rachel learning bit b with probability |, she learns it with 
probability p. If Sam is nonmalicious, p = |. If Sam is malicious, he may choose any 
value of p he wishes, subject to 1 — a < p < a. 

a-1-2 Slightly Oblivious Transfer: This protocol is the same as 1 — 2 oblivious 
transfer, except that at the conclusion of the protocol, a malicious Sam can guess 
Rachel's selection bit s with probability a. 

In both these definitions, the interesting range for a is \ < a < 1. 
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2.2 Nonstandard transfer mechanism 

We now consider our nonstandard transfer mechanism, motivated by coding theory. 

Noisy Transfer: In this protocol. Sam has a secret bit, 6. Rachel has no information 
about b. At the end of the protocol, Rachel receives a bit b'. With probability 3/4, 
b' = b, otherwise b 1 = b. Sam learns nothing. 

This protocol may be thought of as simulating a noisy communication channel, in 
which a bit is flipped with probability 1/4. We can parameterize the above definition 
by replacing the 3/4 with a probability p. We call this p-noisy transfer. In this paper, 
we only consider the "standard" noisy transfer, where p = 3/4. 

Note that in these definitions, there is a careful distinction made between the 
powers of a malicious Sam verses the powers of a nonmalicious Sam. Since a malicious 
Sam is always more powerful than a nonmalicious Sam, it would at first seem natural 
to simply assume that Sam is malicious. However, we require that the protocols we 
build on top of these primitives meet the following two requirements: They must 
work when Sam is nonmalicious, and they must maintain their security conditions 
when Sam is malicious. So, for example, if one is building a protocol using a 3/4- 
slightly oblivious transfer subprotocol, one cannot require Sam to send 1000 bits, 
having at least 600 get through to Rachel. A malicious Sam could easily do this, but 
a nonmalicious Sam could not. 

3 Making honest reductions more robust 

In this section we sketch the ideas behind the technique for strengthening some of our 
reductions. Using this technique, we can write simple reductions which depend on 
the receiver being honest, and in a fairly routine fashion, convert them to protocols 
which are robust against cheating by the receiver. This technique will be crucial in 
our reductions from 1-2 oblivious transfer to o>oblivious transfer and noisy transfer. 

3.1 The general scenario 

We consider transfer mechanisms with the verifiable obliteration property. By this 
we mean that the transfer mechanism occasionally gives the receiver a value which 
is uncorrelated with the bit sent, and for which the receiver knows this fact. Two 
examples of such mechanisms are ordinary oblivious channel and a-oblivious transfer. 
Our intermediate goal is to implement some form or another of 1-2 oblivious transfer. 
Having accomplished this, we then try to apply the techniques leading to theorem 1 
to implement standard 1-2 oblivious transfer. 

For the complete description of this technique, consult [CK]. 
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4 The power of noise 

In this section we consider the cryptographic power of an ordinary noisy communica- 
tion channel, i.e. one which inverts a transmitted bit with some fixed probability. We 
sketch the proof that this family of transfer mechanisms can be used to implement 
1-2 oblivious transfer, and hence a wide variety of secure two-party protocols. 

4.1 A philosophical remark 

Noisy channels have been extensively studied in the field of coding theory, and it is 
interesting to see how our perspective differs from the more traditional one. Coding 
theory adopts the viewpoint that noise is a bad thing, to be eliminated as efficiently 
as possible. Given a noisy channel, a coding theorist tries to simulate a pristine, 
noiseless communication line. 

From our point of view (following Wyner [W]), an ideal communication line is 
a sterile, cryptographically uninteresting entity. Noise, on the other hand, breeds 
disorder, uncertainty, and confusion. Thus, it is the cryptographer's natural ally. 
The question we consider is whether this primordial uncertainty can be sculpted into 
the more sophisticated uncertainty found in secure two-party protocols. The result 
outlined in this section answers this question in the affirmative. 

4.2 An outline of our reduction 

Our reduction consists of four main parts. We first show how to use a noisy transfer 
channel to simulate a very dirty transfer channel which has the total obliteration 
property. This allows us to start applying the techniques of Section 3. Using these 
techniques, we can show how to implement a version of 1-2 oblivious transfer similar 
to a-1-2 slightly oblivious transfer. We can then use the proof of Theorem 1 to get 
an almost pure 1-2 oblivious transfer channel. This channel may be used to simulate 
a pure 1-2 oblivious transfer channel. 

Please consult [CK] for the details of the reduction. 
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Abstract 

We present strong evidence that the implication, "if one-way permutations 
exist, then secure secret key agreement is possible", is not provable by standard 
techniques. Since both sides of this implication are widely believed true in real 
life, to show that the implication is false requires a new model. We consider 
a world where all parties have access to a black box for a randomly selected 
permutation. Being totally random, this permutation will be strongly one- 
way in a provable, information-theoretic way. We show that, if P = NP, no 
protocol for secret key agreement is secure in such a setting. Thus, to prove that 
a secret key agreement protocol which uses a one-way permutation as a black 
box is secure is as hard as proving P ^ NP. We also obtain, as a corollary, 
that there is an oracle relative to which the implication is false, i.e., there is 
a one-way permutation, yet secret-exchange is impossible. Thus, no technique 
which relativizes can prove that secret exchange can be based on any one-way 
permutation. Our results present a general framework for proving statements 
of the form, "Cryptographic application A' is not likely possible based solely 
on complexity assumption Y." 



1 Introduction 

A typical result in cryptography will be of the form: With assumption X, we can 
prove that a secure protocol for task P is possible. Because the standard crypto- 

•Research partially supported by NSF grant CCR 88-13632. 

tResearch partially supported by NSF grant CCR 88-13632 and an IBM doctoral fellowship. 
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graphic assumptions are, at present, unproved, many results focus on weakening the 
assumptions needed to imply that a given protocol is possible. As a consequence, we 
ask a new form of question: which assumptions are too weak to yield a proof that a 
secure protocol for P is possible? 

The task we will study is secure secret-key agreement. Secret-key agreement is a 
protocol where Alice and Bob, having no secret information in common, agree on a 
secret-key over a public channel. Such a protocol is secure when no polynomial-time 
Eve listening to the conversation can determine part of the secret. Secure secret-key 
agreement is known to be possible under the assumption that trapdoor functions exist 
[DH76], [GM84]. However, researchers have been frustrated by unsuccessful attempts 
to base it on the weaker assumption that one-way permutations exist. 

We provide strong evidence that it will be difficult to prove that secure secret-key 
agreement is possible assuming only that a one-way permutation exists. We model 
the existence of a one-way permutation by allowing all parties access to a randomly 
chosen permutation oracle. A random permutation oracle is provably one-way in the 
strongest possible sense. We show that any proof that secure secret-key agreement 
is possible in a world with a random permutation oracle would simultaneously prove 
P 9^ NP. (Formally, P = NP implies there is no secure secret-key agreement relative 
to a random permutation oracle.) We conclude that it is as hard to provably base 
a secure secret-key agreement protocol on an arbitrary one-way permutation as it 
is to prove P ^ NP. Furthermore, we can use the above result to construct an 
oracle relative to which one-way permutations exist, but for which secure secret-key 
agreement is impossible. (This oracle 0 is constructed by starting with an oracle 
for which P=NP, and adding on a random permutation oracle.) This means that 
any proof that the existence of a one-way function implies that of a secure secret- 
key agreement protocol cannot relativize (i.e., hold relative to any oracle). Non- 
relativizing proofs are few and far between not only in cryptography, but in complexity 
theory as a whole. Since the technique of examining complexity relative to an oracle 
was introduced in [BGS75], relativization results have been used to provide evidence 
for the difficulty of resolving questions in complexity theory [BG81]. (We will later 
briefly discuss the possibility that a non-relativizing proof basing secure secret-key 
agreement on a one-way permutation can be found.) Relativized complexity has not 
been frequently used in cryptography ([Bra, BraS3] is one exception to this rule); 
we hope the framework developed here will have wide applicability in separating the 
strengths of cryptographic assumptions. 

Our result also has some implications for "black box" reductions between various 
other cryptographic assumptions and tasks. Instead of formalizing the notion of 
"black box" reducibility to an assumption or task, which would involve going into 
the specifics of these assumptions and tasks, we will use the phrase "A is black-box 
reducible to B" as an abbreviation for "If B holds relative to an oracle O, then A also 
holds relative to O". (In [188], a general notion of "black box" proof is developed, and 
shown to be basically equivalent to that given in the preceding.) Since the definitions 
of the cryptographic tasks and assumptions mentioned here are lengthy, technical, and 
often not unique, to describe them formally would require a separate paper. (In fact, 
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A B 



One-way permutations exist 


Secret-key agreement is possible 


Signature schemes exist 


Oblivious transfer is possible 


Pseudo-random generators exist 


Trapdoor functions exist 


Private-key cryptosystems exist 


Voting Schemes exist 


Telephone coin flipping is possible 




Bit commitment with strong receiver is possible 




Bit commitment with strong sender is possible 




Collision free functions exist 





papers have been written describing various ways of formalizing some of the terms 
used here; for others, such papers do not presently exist but are greatly needed.) 
Therefore, rather than attempt to define these terms here, we will give references 
to papers introducing these concepts and/or papers clarifying them. We hope the 
reader not familiar with cryptography will still be able to follow the general idea of 
the following discussion. 

Cryptographic tasks to be discussed here include: coin flipping by telephone ( 
[Blu82] ), electronic signatures ( [DH76] , [GMR84] ), private-key cryptography ( 
[GM84, GGM84, LR86, Rac88]), bit- commitment (both the strong committer ver- 
sion ( [GMW87] ) and the strong receiver version ( [BCC87] ) ), identification ( 
[DH76], [FFS86] ), electronic voting ( [Ben87] ), oblivious transfer ( [Blu81, Rab81] 
), and secret-key exchange itself ( [DH76, Mer78] ). General assumptions which have 
been used in cryptography include the existence of : one-way permutations ( [P74] 
), pseudo-random generators ( [BM84, Yao82] ), trap-door permutations ( FDH76]), 
and two-to-one collision-free functions. This last is a function / which is easily com- 
putable, is two-to-one on strings of length n, and where no polynomial-time algorithm, 
given n, can find strings x and y of length n with f(x) = f(y). 

Many reductions between the various assumptions and tasks listed above are 
known. In particular, it is known that the existence of a one-way permutation im- 
plies the following: pseudo-random generators exist ([Yao82]), private-key encryption 
is possible ([GM84, GGM84, LR86]), strong committer bit commitment is possible 
([Yao82, GMW87]), telephone coin flipping is possible ([Blu82]), and electronic sig- 
natures are possible ([NY]). All of the preceding results relativize. We construct an 
oracle 0 relative to which one-way permutations exist, but for which no secret-key 
agreement protocol is possible. From relativized versions of these results, it follows 
that 0 will also have the property that, relative to 0, pseudo-random generators 
exist, strong committer bit commitment is possible, etc. Thus, none of the preceding 
assumptions can imply that secure secret-key agreement -is possible in a way which 
relativizes. 

Furthermore, we can add to this list several statements which are not known to 
follow from the existence of a one-way permutation, but which 0 can be proved to 
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satisfy because a truly random permutation is used in O's construction. For example, 
it is unknown whether a one-way permutation can be used to construct a two-to- 
one collision-free function, but it is easy to see that for a random permutation p, 
the function which outputs all but the last bit of p will be such a function. [NY] 
show that the existence of a two-to-one collision-free function suffices to construct 
a protocol for strong receiver bit commitment. Thus, neither the existence of two- 
to-one collision-free function nor that of a strong receiver bit commitment protocol 
suffices to construct a secret-key agreement scheme via a relativizing proof. 

Similarly, if an assumption is sufficient to prove the possibility of secret-key agree- 
ment in a relativizing manner, it itself cannot be proven from the existence of a 
one-way permutation via a "black box" reduction. Examples of such assumptions in- 
clude oblivious transfer ( [Blu81, RabSl]), voting ([Ben87]), and trap-door functions 
([DH76, GM84]). 

To summarize: 

There is an oracle O relative to which all A's hold, but all B's do not. (See above 
table.) 

Some caution is needed in interpreting these results, since at least one non- 
relativizing construction in cryptography is known. In [188] it is shown that the 
theorem proved in [GMW87], "the existence of a one-way permutation implies the 
existence of zero- knowledge protocols for all languages in NP", fails with respect 
to a random permutation. In contrast, the [FFS86] construction of an identification 
protocol based on any one-way function will not be possible with just a black box 
for a random permutation. Their construction is as follows. Every person chooses 
a random x, and announces publicly f(x) as their I.D. To prove you are the person 
with I.D. /, you give a zero-knowledge proof of knowledge that you know an x with 
f(x) = I. However, to give a zero-knowledge 

proof as in GMW and FFS that you know such an x, it is necessary to have an 
actual circuit that computes /, not just a black box which gives the value of /. In fact, 
if / is a random permutation, no such zero-knowledge proof will be possible. Thus, 
the [FFS86] scheme does not relativize. The [FFS86] protocol is exceptional even 
for those constructions involving zero-knowledge proofs. Most applications of zero- 
knowledge will in fact relativize, even though the literal statement of the [GMW87] 
theorem does not. In a world with a random permutation oracle, it is possible to give 
a zero-knowledge proof for any property actually in NP, as opposed to NP relativized 
to this oracle. It is only applications which attempt to "bootstrap", proving things 
concerning the values of the same function used to make the protocol zero-knowledge, 
which fail to relativize. 

The above example is the only non-black box construction in cryptography known 
to the authors for a result in a general form (as opposed to results involving specific 
crypto- systems). Thus, it is fair to say that the result presented here shows that most 
of the standard techniques in cryptography cannot be used to construct a secret-key 
exchange protocol from a one-way permutation. 
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2 Notation and definitions 

A secret-key agreement protocol is a pair of PPTMs called Alice and Bob. Each 
machine has a set of private tapes: a random-bit tape, an input tape, two work 
tapes, and a secret tape. In addition, they have a common communication tape that 
both can read and write. A run of the protocol is as follows: Alice and Bob both start 
with the same integer / written in binary on their input tapes; Alice and Bob run, 
communicating via the common tape; Alice and Bob both write an /-length string 
on their secret tape. If this string is the same, Alice and Bob are said to agree. The 
entire history of the writes to the communication tape is called the conversation. a(l) 
will denote the probability that Alice and Bob agree on a secret of length I. 

A PPTM Eve breaks a secret-ket agreement protocol if Eve, given only the con- 
versation, can guess the secret with probability a(l)/poly(l). A protocol is secure if 
no Eve can break it. One could imagine far more stringent notions of security. For 
example, we might require that Eve can't even get one bit of the secret. However, 
in our scenario, we will be breaking secret-key agreement in the strong sense defined 
above, thus including the weaker notions of breaking that an applied cryptographer 
would use. (For example, a cryptographer would be happy to learn one bit of the 
secret.) 

A one-way permutation is a 1-1, onto, polynomial-time computable function from 
n-bit strings to n-bit strings, where the inverse permutation is not computable in 
polynomial-time. In fact, for cryptography we require that no PPTM can expect to 
invert the function on more than a l/poly(n) fraction of the inputs of length n. 

We will abbreviate probabilistic polynomial-time Turing machine with the nota- 
tion PPTM. The computation of a PPTM on a given input will be a trace of the 
entire run of the machine given the input. (The computations are indexed by the 
possible random tapes.) If the machine is an oracle machine, this would include all 
the queries and answers received during the computation. (In this case, each com- 
putation would be determined by a random tape, and by a finite set of query-answer 
pairs.) We use the notation poly to refer to some polynomial function. Thus, we 
can use the freewheeling arithmetic poly * poly = poly. A conversation between two 
PPTMs is the history of writes to the cells of a common communication tape. 

We will use the following form of the pigeonhole principle: 

Let M be a 0-1 matrix with a 1 — a proportion of Is. For every ab = a, a 1 — a 
portion of the columns have at least a 1 - b portion of Is. (It suffices to note that the 
worst case is when the 0's are concentrated in an a by b rectangle.) 
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3 Uniform Generation 

3.1 Polynomial-time relations 

A relation, R, is polynomial-time if we can decide xRy in time polynomial in ||x|| + 
In this paper, we will only consider relations where the length of y is polynomially 
related to the length of x. Is satisfied by is an example of such a relation: x is satisfied 
by y iff x is a boolean formula and y is one of its satisfying assignments. 

3.2 What is uniform generation? 

Let R be the "is satisfied by" relation. We can ask two natural questions: 

Existence Given x, does there exist a y such that xRyl 
(Does a given formula has a satisfying assignment?) 

Counting Given x, how many y exist such that xRyl 

(How many satisfying assignments does a given formula have?) 

The existence question, satisfiability, is iVP-complete. The counting question, 
thought to be harder than satisfiability, is #P-complete. Jerrum, Valiant, and 
Vazirani[JW86] introduced a problem of intermediate complexity. 

Uniform generation Given x, pick a y uniformly at random such that xRy. 
(Given a formula, find a random satisfying assignment.) 

More generally, let R be a polynomial-time relation. Let M be a PPTM with 
a fixed (as opposed to expected) polynomial running time. We say M uniformly 
generates R if given x, M has at least a 50% chance of outputting a uniformly chosen 
y such that xRy; otherwise, M outputs "try again". If such a y does not exist, M 
will only output "try again". Notice that rerunning the algorithm when it fails to 
generate a random y will succeed in generating a random y in expected polynomial 
time. 

3.3 P = NP and uniform generation 

Theorem 3.1 (JVV) For any polynomial-time relation, there exists a PPTM equipped 
with a oracle that uniformly generates it. 

Theorem 3.2 P = NP=^> for any polynomial-time relation, there exists a PPTM 
that uniformly generates it. 
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Proof: P = NP=i>- the polynomial-time hierarchy collapses [CKS 81] =>■ 

a polynomial-time machine can simulate a £^ oracle can use previous theorem 

to uniformly generate. ■ 

Let M be a PPTM. There are possibly many different computations of M con- 
sistent with a given input and output. (Of course, there may be none.) The following 
corollary shows that if P = NP, we can efficiently pick a random element from the 
finite set of these computations. 

Corollary 3.1 P = NP => it is possible to generate a random computation for a 
given PPTM, M, with given input, I, and given output, 0, in expected polynomial 
time. 

Proof: Checking that the trace of a computation is consistent with M, I, and O is 
a polynomial-time relation. ■ 



Corollary 3.2 P — NP=$- given a conversation, C, between two PPTMs M and 
N, we can uniformly generate a possible computation of M . 

Proof: Checking that C is consistent with a given computation of M is possible in 
polynomial-time. ■ 



3.4 An application to cryptography 

Public- key cryptography relies on the assumption that P^NP. The formal version 
of this fact, P = NP implies secret-key agreement is not possible, is something one 
might see a rather technical proof of in a first-year course. We can use our results on 
uniform generation to give a particularly simple proof of the optimal result. 

Theorem 3.3 P = NP=$- Eve has an expected polynomial time algorithm to break 
any given secret-key agreement protocol in the strongest possible sense: Eve will find 
the secret with exactly the same probability that Alice and Bob agree on one. 

Proof: Fix a computation and resulting secret for Bob. We will show that the prob- 
ability that Alice agrees with Bob is the same as the probability that Eve agrees with 
Bob. By corollary 3.2, Eve can generate a random computation of Alice consistent 
with the conversation. Alice's particular computation is, by definition, a random 
computation of Alice consistent with the conversation. Thus, Eve and Alice produce 
secrets with exactly the same probability distribution. They must, therefore, have 
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exactly the same probability of agreeing with Bob. In other words, from Bob's point 
of view, Alice and Eve think alike; he will fool Eve with exactly the same probability 
that he will fool Alice. ■ 



4 Random Oracles 

4.1 Random function oracles 

Let r be a random real between 0 and 1, chosen with the uniform distribution; express 
r in binary notation. A random oracle is the set induced from r as follows: {x : the 
xth binary digit of r is a 1 }. 

With each random oracle R, we can associate a function from rc-bit strings to 
n-bit strings. f(i) is defined by its length(i) binary digits; the jth digit is 1 iff 
(2i + l)2- ? £ R. (Every natural is uniquely expressed as an odd times a power of 
2.) Notice that as we vary over all possible R, we get all possible length-preserving 
functions, each one occurring with the same frequency. Furthermore, using R as an 
oracle, / is polynomial- time computable. Thus, a TM with a random oracle also has 
at its disposal an easy to compute length-preserving random function. The notions 
of a random oracle and a random function oracle will be used interchangeably. We 
state without proof a theorem a standard theorem concerning random functions: 

Theorem 4.1 For most oracles, the function associated with the oracle is one-way 
in the strongest possible sense: For every oracle PPTM , there exists a poly, such 
that the machine has expectation no more tjian poly(n)/2 n of inverting the inputs of 
length n. 

4.2 Random oracles and uniform generation 

Theorem 4.1 implies that uniform generation is impossible in a random world; it is 
impossible to uniformly generate an inverse to the function associated with the oracle. 
Our goal is, assuming P = NP, to break secret-key exchange in a random world. (In 
theorem 3.3, we saw how to break it in the real world.) Even though we can't hope 
for uniform generation in a random world (which would make life very easy), we can 
prove weak analogues of the uniform generation results, which will be helpful. 

The idea is not to generate the computation of an oracle PPTM, iV/, with a 
particular random oracle, but rather, with a random random oracle; we want a random 
computation of the machine over all possible oracles. Let M 1,0 be the finite set of 
possible computations of M given input /, output 0, using some oracle. (These 
computations are indexed by the random-bit tape, and the oracle query-answer pairs 
used during the computation.) A natural probability distribution to put on M T '° is 
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to weight each computation by the probability that it occurs using a random oracle. 
We want to be able to pick a random element of the space M r '°. Note: This time 
the distribution on the underlying set is not necessarily uniform. The probability of 
a computation with q queries being chosen is 2~ q /2~ p as likely as a computation with 
p queries being chosen. 

Theorem 4.2 P = NP=> there exists a PPTM that picks a random element from 
the probability space M I>0 in expected polynomial time. 

Proof: iFrom the oracle PPTM M, we construct a PPTM M', such that a uni- 
formly generated computation of M' given input I and output O, when suitably 
syntactically modified, yields a random element of the probability space M l, ° . Intu- 
itively, M' is an oracle machine that makes up its own oracle on the fly. 

Without loss of generality, assume the computation of M never makes the same 
oracle query twice; keep track of queries asked in a table, and use the oracle only 
when the table does not have the answer. Let f(n) be a polynomial bound on the 
number of oracle queries M asks given an input of length n. M' starts its computation 
by writing down t(n) random bits on a separate tape, called the answer tape. M' 
then proceeds as M would, except that when M asks the oracle for a query answer, 
M' answers the simulated query with the first unused bit from the answer tape. By 
corollary 3.2, we can generate a random computation m' of M', with input / and 
output O, in expected polynomial time. To make m' look like a random computation 
of M, strip away the answer tape, pretending that all answers came from an oracle; 
call the computation that remains m. The probability associated with an m asking 
q queries is proportional to 2 -? . Hence, m is a random element of M 1 ' 0 . ■ 

We can strengthen our result slightly by fixing some finite portion of the oracles 
we wish to consider. Let £ be a finite set of oracle addresses and their contents. An 
oracle is said to be consistent with E if the content-address pairs in E are also in the 
oracle. We define a space similar to M 1,0 : Mg'° is a finite set of computations of M 
given J and 0, using oracles consistent with E. Each element in Mjj is weighed by 
the probability of it occurring using a random oracle consistent with E. Once again, 
we wish to pick a random element of the space. 

Theorem 4.3 P = NP=> there exists a PPTM that picks a random element of 
the probability space Mg° in expected polynomial time. 

Proof: Same as the proof of the previous theorem with one important modification: 
Hardwire the answers to oracle queries in E into the finite state control of M'. When 
M' asks a query in E, do not use a bit from the answer tape. ■ 
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We can now prove the analogue of corollary 3.2 using oracle PPTMs Alice and 
Bob. In the case where oracle Alice and oracle Bob have conversation C, and E 
is a finite set of queries and answers, we define another similar space: Ajg is the 
space of possible computations of oracle Alice consistent with the conversation C, 
where each computation is weighed by its probability of occurring with a random 
oracle consistent with E. The next theorem will be very important in the results on 
secret-key agreement. 

Theorem 4.4 P = NP==> there exists a PPTM that picks a random element of 
in expected polynomial time. 

Proof: i,From Alice's point of view a conversation is a set of inputs and outputs 
occurring at certain prescribed times during her computation. No further modification 
of the above proof technique is required. ■ 



5 Random Permutation Oracles 

Random permutation oracles are similar to the random function oracles discussed in 
the previous section, except that the random functions must be 1-1 onto. A random 
permutation oracle II is a random length-preserving function from the set of finite 
strings onto itself. Again, the function is chosen from the uniform distribution. 

iFrom the point of view of oracle PPTMs, there is no difference between the two 
types of oracles. We will formalize this in the spirit of pseudo-randomness. 

A tester is an oracle PPTMwhich, given n and a function oracle from n-bit strings 
to re-bit strings, outputs either 0 or 1. Let T be a tester. Let P n be the probability 
that T will output a 0, when given n and a random function from n-bit strings to 
n-bit strings. Let P' n be the probability that T will output a 0, when given n and a 
random permutation from n-bit strings to n-bit strings. Let Dt„ = \P n — P' n \- Thus, 
Dt„ measures how well the tester can distinguish between the two types of oracles. 

Theorem 5.1 For every tester T, Dr n < poly(n)/2 n 

Proof: Assume T makes q < poly(n) queries. In the case of a random function oracle, 
the answer to a previously unasked query is a random n-bit number, independent of 
the answers to previously asked queries. Thus, for each query made the probability 
that it gets the same answer as a previously made query is less than q/2 n . Summing, 
we conclude that the probability that two queries received the same answer is less 
than q 2 /2 n . Next we observe that the distribution on possible query answers, given 
that all query answers are different, is the same for random function oracles and 
random permutation oracles; the probability that T will output a 0 given that all 
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query answers axe different, is the same for the two types of oracles. It follows that 
D Tn < q 2 /2\ m 

The above theorem will allow us to first prove our results relative to a random 
oracle, and then extend them to a random permutation oracle. 

It is a standard theorem that random permutations are very hard to invert. 

Theorem 5.2 Measure one of random permutation oracles are one-way in the strongest 
possible sense: For every oracle PPTM , there exists a poly, such that the machine 
has expectation no more than poly(n)/2 n of inverting the inputs of length n. 

6 Cryptographic Lower Bounds 

6.1 Introduction 

We will show that the existence of a very strong one-way permutation is not an 
assumption likely to yield a proof that secure secret key agreement is possible. By 
theorem 5.2, we know that a random permutation oracle is one-way in the strongest 
possible sense. Therefore, we will use the availability of a random permutation oracle 
to model the existence of an ideal one-way permutation. We will show that it is 
as hard to prove secure secret key agreement is possible using a common random 
permutation oracle is it is to prove P ^ NP. The result will take the form of the 
contrapositive: P — NP implies that any secret-key agreement protocol can broken 
even when a random permutation oracle is available to all parties. 

Summarizing the results of this section: We first show that P — NP implies there 
is no secret- key agreement protocol that is secure with measure 1 j 'poly of random 
oracles (random function oracles). Theorem 5.1 will be used to extend the result 
to random permutation oracles. Further strengthening the result by swapping the 
quantifiers, we show P = NP implies for measure one of oracles there is no secure 
secret-key agreement. A corollary of this result is the existence of an oracle relative 
to which one-way permutations exist, but secure secret- key agreement is impossible. 
We also distinguish between two strong senses of breaking a secret-key agreement 
protocol. 

6.2 A normal form for secret-key agreement 

To facilitate our analysis, we will assume that the secret-key agreement protocol has 
a normal form. Communication takes place in n rounds. Each round involves one 
person speaking and computing. Before each round, the party who is to speak asks 
the oracle a single query, and then does some computation. If Alice speaks first, 
the protocol would take the following form: Alice queries the oracle; Alice computes; 
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Alice speaks (i.e. writes on the communication tape); Bob queries the oracle; Bob 
computes; Bob speaks; Alice queries the oracle; Alice computes; Alice speaks; Bob 
queries the oracle; . . . 

Any protocol can be converted to normal form with only a polynomial blow-up in 
running time. 

6.3 Notation and definitions 

We wish to investigate a random world where Alice and Bob attempt to agree on an /- 
bit secret. In other words, we vary over runs of Alice, Bob, and Eve; and over oracles. 
Formally, a world situation is a five-tuple < I, randorriAiice, randorriBob, randorriEve, 
R >. I, the input to Alice, Bob, and Eve, is the length of the secret being agreed 
upon, random A i ice , randorriBob, a nd randomEve ase random bit tapes for Alice, Bob, 
and Eve to use during their computations (the random bit tapes are just long enough 
that they never get used up). R is a random oracle. Let WSi be the set of all world 
situations where Alice and Bob attempt to agree on an /-length secret (1 is the first 
entry of the five- tuple). We will also think of WS\ as a probability space with the 
uniform distribution. A world situation determines a random run of the protocol with 
a random oracle. With each world situation we can associate the following variables: 

C r , the conversation up to and including round r. 

q T , the query asked in round r. 

A r , the query-answer pairs Alice knows up to and including round r. 

B T , the query-answer pairs Bob knows up to and including round r. 

If it is ambiguous which world situation C r comes from, we write C% to mean the 
conversation comes from world situation w. 

World situation w satisfies C T (written w f= C r ) means that the conversation 
between the machines in w is identical to C r for the first r rounds. We will use the 
j= notation with the other world situation variables as well. 

Notice that none of the three polynomial time machines involved will be able to 
access the oracle past some very large address. Thus, without any loss, we can think 
of the oracle as finite. This means that the probability space WSi is finite. Similarly 
any space we will discuss can be considered finite. This technical point will prevent 
the reader from suspecting any measure-theoretic fallacy. 

6.4 Eve's sample space 

We need to define the probability distributions Eve samples from during her algo- 
rithm. They have already been described in section 4.2, Theorem 4.4. We define 
them again here. 
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Call a random tape for Alice consistent with conversation C r and oracle R if the 
run of Alice, determined by the random tape and input from Bob's portion of C T , 
outputs Alice's portion of C T . (What she does after round r does not matter.) Let E 
be a finite set of query-answer pairs. 

Let ASe* be the set of <oracle, random tape for Alice> pairs such that E is 
in the oracle and the random tape for Alice is consistent with C r and the oracle. 
Eve will be sampling from the space A c £ of computations of Alice consistent with 
C r and the query-answer pairs in E. The distribution on is induced from the 
uniform distribution on AS% T ; sample a point in AS% T , that point corresponds to 
a computation of Alice: An <oracle, random tape for Alice> pair corresponds to 
a <finite portion of the oracle used during the computation, random tape for Alice 
pair>. 

6.5 Eve's algorithm 

We now give an algorithm for Eve to break a secret-key agreement protocol in a 
random world. This algorithm runs in polynomial time under the assumption that 
P = NP. Si is a function of the form 1 1 poly (called a security parameter), which 
determines Eve's probability of failure. The smaller 5/, the longer Eve must run to 
break the protocol. 

For each of n rounds of communication between Alice and Bob, Eve does m = 
\3(n/Si) ln(2n/5/)l segments. Each segment has a simulate phase and an update 
phase. We will describe these phases in segment i for round r. 

Without loss of generality, assume Alice speaks in round r. Let £V,»-i be the finite 
set of query-answer pairs that Eve knows about the oracle so far; < q, a >€ £ r ,i_i iff 
prior to round r, segment i, Eve has asked if q is in the oracle (q € i??), and received 
answer a. Recall that C T is the conversation that has occurred up to this round. 

SIMULATION PHASE: 

Using the method described in theorem 4.4, Eve picks a random run of Alice from 
the space A% T r ._ 1 . (If Bob speaks in round r, Eve would instead simulate Bob.) Let 
F Ti i be the set of queries that the simulated run of Alice asks her simulated oracle. 
(Note that so far in this segment, we have not asked any real oracle queries. Recall 
that when simulating a random Alice, we make up the answers to the oracle queries.) 

UPDATING PHASE: 

Eve asks all the queries in F r j of the actual oracle R. Thus, E T j equals E T ^i 
union the new query-answer pairs Eve learned by asking F r j of the oracle. 

The following variables are also associated with any world situation: 

E Ti i, the query-answer pairs Eve knows up to and including the iih segment of her 
simulation of round r. 

E rfi , the query-answer pairs Eve knows before she simulates round r. {E TiQ = 

Fr-l,m-) 
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BPQ ri i, the query-answer pairs Bob knows and Eve does not, up to and includ- 
ing round r, segment i. BPQ stands for Bob's private queries. Note the relation: 
BPQ r ,i = BPQ Tfl - E r ,i. 

6.6 Intersection queries and the secret 

Intersection queries are the queries Alice and Bob ask in common during an execution 
of their protocol. A particular query becomes an intersection query, not when it is 
first asked by one party, but rather when it is later asked by the other party. For 
conceptual unity, we can assume without loss of generality that the secret is an 
intersection query; assume that as their final act Alice and Bob query the oracle at 
the location addressed by the secret. 

The next Theorem will prove that with high probability Eve finds all the inter- 
section queries. Thus, Eve will have a polynomial-length list containing the secret; 
Eve breaks the protocol. 

6.7 The efficacy of Eve's algorithm 

Theorem 6.1 Suppose Alice and Bob attempt to agree on an l-length secret. The 
probability that Eve finds all the intersection queries is greater than 1 — 5;. Formally, 
PROB x&VSl {A n D B n C £ n>m ] > 1 - S, . 

Proof: (We show the stronger result that Eve probably anticipates (asks) a query 
before it becomes an intersection query.) Eve's algorithm has n rounds. If Eve fails to 
find all intersection queries, there must be a first round where she fails to anticipate an 
intersection query that occurs in the next round; there exists a first time q £'A r C\B r 
and q £ E r -i, m - To formalize the event that Eve fails for the first time to anticipate 
an intersection query in the next round, we write it as the conjunct of three events: 

• Eve has, in previous rounds, anticipated all intersection queries about to hap- 
pen. (Thus, Eve knows all intersection queries to date.) 

• <? r +i, the query asked in the next round, is an intersection query. 

AND 

• Eve fails to find q T+ i. (<7r+i ^ E r , m -) 

Lemma 6.1, the technical heart of the proof, will show this event has probability no 
more than Si/n by showing that the complementary event has probability greater 
than 1 — Si/n. Thus, for each round the probability of failing for the first time to 
anticipate an intersection query in the next round is less than Si/n. Summing the 
error probability for each round, we get a total error probability bounded by Si. ■ 
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Lemma 6.1 The probability that in round r, either 

• In a previous round, Eve failed to anticipate the intersection query about to 
happen, 

• It+i is not an intersection query, 

OR 

• Eve finds q r+ i 

is greater than 1 — Si/n. 

The proof of this lemma can be found in STOC'89 

Theorem 6.2 Theorem 6.1 is true relative to a random permutation oracle: Given 
any secret-key agreement protocol and a random permutation oracle, the probability 
that Eve finds all the intersection queries is greater than 1 — 5;/2. 

Proof: Assume not. We will construct a tester to distinguish between a random 
function oracle and a random permutation oracle. We start with a protocol where 
Eve will find all the intersection queries with probability less than 1 —Si/2 if a random 
permutation oracle is used, and probability greater than 1 — 5; if a random function 
oracle is used. A tester can simulate runs of Alice, Bob, and Eve, counting the fraction 
of times Eve finds all the intersection queries. The essence of the situation is that the 
tester is flipping a coin with two possible biases: 1 — Si/2 and 1 — £<; the tester must 
guess which. If the tester flips the coin 1/5; 2 times, even a very weak form of the law 
of large numbers would tell us that Eve can guess the bias of the coin at least 99% 
of the time. This very strongly contradicts theorem 5.1. ■ 

Notice the order of the quantifiers in the above result. We picked the protocol 
between Alice and Bob, then we picked the oracle (since the protocol is bound by 
definition to work with a random oracle). Then, we showed Eve can break the pro- 
tocol. We prove a stronger result which reverses the quantifiers. First, we pick a 
random oracle; then a protocol for Alice and Bob (this time the protocol need not 
work properly on other oracles). Then, we show that Eve can break the protocol 
relative to the chosen oracle. 

Theorem 6.3 P = NP=^ relative to a random permutation oracle, any secret key 
agreement scheme can be broken. 

Proof: First, we argue that for every secret-key agreement protocol, there are only 
measure zero of oracles where it can't be broken. Fix a protocol. The P = NP 
assumption allows us to use Eve's algorithm as before. Choose 5; = l/l 2+f . Theorem 
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6.1 tells us that in 1 — Si/2 of world situations we succeed in breaking the protocol. 
By the pigeon-hole principle, for each length I, there are 1 — \JSi/2 oracles relative 

to which there is a 1 — \JSi/2 chance of Eve breaking the protocol. Call all such 
oracles good for l ength /. The probability that a random oracle fails to be good for 
length / is ySi/2. £So JSi/2 converges; by the Borel-Cantelli lemma, measure one 
of oracles are good on all but finitel y ma ny lengths. For measure one of the oracles, 
past some length, Eve has a 1 — \JSi/2 chance of breaking the protocol. (We can 
even non-uniformly boost Eve's ability to break protocols for finitely many lengths.) 
Thus, there are only measure zero oracles where the protocol can't be broken. 

For each of the countably many protocols we throw out the measure zero of oracles 
where the protocol is secure. We have thrown out measure zero in all. Every protocol 
can be broken relative to the measure one of remaining oracles. ■ 



Corollary 6.1 There exists an oracle relative to which a strongly one-way permuta- 
tion exists, but secure secret-key agreement is impossible. 

Proof: Consider any oracle world where P = NP. Add a random permutation oracle 
to this world. Because all the techniques in our theorem relativize, we can conclude 
that secure secret-key agreement is not possible in the resulting world. 

Construct an example of such an oracle as follows: The even numbers form an 
oracle for PSPACE (a PSPACE-complete problem), the odd numbers form a random 
permutation oracle. P = NP relative to a PSPACE-complete oracle. We know the 
random permutation is one-way in the strongest possible sense. ■ 



The only other relativized result that we know in cryptography is Brassard [Bra83, 
Bra]. He explicitly constructs an oracle where secret-key agreement is possible. 

So far, our sense of breaking a secret key agreement consists of finding a polynomial- 
sized list with the secret on it somewhere. The strongest sense of breaking secret key 
agreement is clearly to find the secret itself. We show how to extend Eve to actually 
find the secret. For the same reasons as before, the argument works equally well with 
both random oracles and random permutation oracles. 

Eve's strategy can be extended as follows: Eve's final round will be her simulation 
of the n — 1th round of the protocol. In each segment of her final round, Eve records 
her last query to the oracle. (Recall that the last query to the oracle should be 
thought of as the secret.) Of the final queries Eve has recorded, she outputs the one 
which occurs the majority of the time. (If there is no majority, output "failure".) 

Theorem 6.4 Suppose that Alice and Bob agree on a secret with probability at least 
1 — a over world situations in WSi. Then, for every 8 > 0, there exists an Eve who 
can guess the secret with probability at least 1 — a(2 + 8) over world situations in WSi. 



The proof of this theorem can be found in STOC'89 
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7 Related Work and Open Problems 

In the work presented here, as in much of theoretical cryptography, we do not go into 
exactly how much time the adversary will take to break the protocol, as long as this 
time is polynomial. However, in real life, a protocol taking a large degree polynomial 
time to break may be almost as good as one secure against any polynomial time 
adversary. Merkle[Mer78] has suggested a protocol, based on any one-way function, 
the breaking of which would require an eavesdropper to take time quadratic in the 
time taken by the participants. (Here, time is measured as the number of calls to 
a black box for the one-way function.) We showed that for a protocol in normal 
form, an eavesdropper can always break the protocol in time 0(n 3 log n); however, 
to put the protocol into normal form may square n, so our eavesdropper is actually 
taking time O(ra 6 logn). This leaves open Merkle's question of whether his scheme is 
optimal. 

Another general question brought up by this research is whether similar statements 
can be proved for other cryptographic applications. We have previously given a list 
of applications at least as strong as secret key agreement; that these are unlikely to 
be a consequences of the existence of a one-way permutation follows from the result 
here. However, it would be interesting to show that there is some natural application 
which cannot even be based on a much stronger assumption, such as the existence of 
a trapdoor permutation. 
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Abstract 

Secret Sharing from the perspective of threshold schemes has been well- 
studied over the past decade. Threshold schemes, however, can only handle a 
small fraction of the secret sharing functions which we may wish to form. For 
example, if it is desirable to divide a secret among four participants A, B, C, 
and D in such a way that either A together with B can reconstruct the secret 
or C together with D can reconstruct the secret, then threshold schemes (even 
with weighting) are provably insufficient. 

This paper will present general methods for constructing secret sharing 
schemes for any given secret sharing function. There is a natural correspon- 
dence between the set of "generalized" secret sharing functions and the set of 
monotone functions, and tools developed for simplifying the latter set can be 
applied equally well to the former set. 

1 Introduction 

The threshold schemes for secret sharing introduced by Blakley ([Blak79]) and 
Shamir ([Sham79]) have found many applications in recent years. There are, how- 
ever, many secret sharing applications which do not fit into the model of threshold 
schemes. 

In a recent paper ([ISN87]), Ito, Saito, and Nishizeki describe a general method 
of secret sharing whereby a secret can be divided among a set P of trustees such 
that any "qualified subset" of P can reconstruct the secret and such that unqualified 
subsets cannot. As they point out, it is most sensible to talk only about families of 
qualified subsets (or access structures) A which satisfy the property 

A € A , A C A' => A' € A. 

It is hard to imagine a meaningful method of sharing a secret which does not satisfy 
this property. 

The method of Ito, Saito, and Nishizeki can be roughly described as follows. For 
each of the (up to order 2' p ') sets of the access structure A, divide the secret among 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 27-35, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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each member of the set. 1 Thus, in the worst case, each of the n trustees may have 
to hold on the order of 2 n shares. 

This paper gives a far simpler and more efficient method of developing a secret 
sharing scheme for any monotone access structure. The idea is to translate the 
access structure into a monotone formula. 

Each variable in the formula is associated with a trustee in P, and the value 
of the formula is true if and only if the set of variables which are true corresponds 
to a subset of P which is in the access structure (i.e. the variables which are true 
correspond to a subset of trustees qualified to reconstruct the secret). This formula 
is then used as a template to describe how a secret is to be divided into shares. 

Since every monotone function can implemented using just AND operators and 
OR operators, it is sufficient to show how to divide a secret "across" each of these two 
operators. It will be shown later how these formulae can be made more efficient by 
using general THRESHOLD operators and appealing to traditional threshold schemes. 

Let pi and p 2 be trustees in P. To divide a secret s into shares such that pi and 
p 2 can reconstruct s, pi can be given a value and P2 given a value s 2 such that 
s — s\ + S2- If s is selected from the range 0 < 5 < m, then Si and s 2 can be chosen 
uniformly from this range subject to the constraint that s = (si + s 2 ) mod m. In 
this case it can be shown in a very strong sense that neither p x nor p 2 can, without 
the other, obtain any information whatsoever about s. 

To divide a secret 5 into shares such that pi or p 2 can reconstruct s, pi and p 2 
can simply both be given the value s. With these two building blocks, it is easy to 
see how to construct a secret sharing scheme for any monotone access structure. 

For instance, in the earlier example, a secret sharing scheme is sought for which 
either A together with B or C together with D can reconstruct the secret value s. 
The corresponding access structure can be written as ((AAB) V (C A D)). Thus, to 
share a secret s according to this access structure, the secret is first moved across 
the OR yielding a situation in which the secret 3 now must be shared among AB and 
among CD. The value s is now moved across the two AND operators, yielding shares 
$A, sb, sc, and so belonging respectively to A, B, C, and D such that sa + $B = s 
and sc + sd — s. If the shares generated when a value is moved across an AND 
gate are random and independent of other selections, then it is not hard to show 
in a very strong sense that insufficient subsets of trustees obtain no information 
whatsoever about the original secret value. 

There is, of course, no need to limit these gates to two inputs since both of 
the above operations generalize directly to gates with arbitrary fan-in. In general, 
a value can be moved across an arbitrary THRESHOLD operator by appealing to 
a traditional threshold scheme such as the Shamir scheme ([Sham79]). If some 
intermediate value s in a formula is to be moved across a threshold operator with n 
arguments and threshold fc, the secret s is divided among the n arguments according 
to a (fc, n)-threshold scheme, and these shares become the intermediate values for 
the next level of the formula. 



1 There is actually some minimization done as will be described later. 
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Since AND operators and OR operators are special cases of THRESHOLD opera- 
tors, it would suffice to apply the Shamir threshold scheme to each operator of the 
formula. It is, however, often simpler to apply the direct methods above. Although 
the method of moving a secret across an OR operator described above does corre- 
spond exactly to Shamir's method of constructing a (l,n)-threshold scheme, the 
method given of moving a secret across an AND operator is computationally simpler 
than a Shamir (n, n)-threshold scheme. In addition, the threshold schemes given by 
Shamir and others have limitations which are not present in the scheme presented 
here. These limitations will be discussed later. 

The method described by Ito, Saito, and Nishizeki in [ISN87] corresponds pre- 
cisely to the case of minimal CNF-formulae in which conjunctions are formed by 
use of (n,n)-threshold schemes rather than by simple sums. 

It is of course true that every monotone formula can be expressed as a CNF- 
formula and that there are a great many monotone formulae for which the CNF- 
formula is the smallest possible representation. However, there are also a great 
many cases in which the use of general monotone formulae (especially when ar- 
bitrary threshold operators are allowed) gives a much smaller formula than the 
CNF-formula. The number of shares which must be given to each trustee in these 
schemes as well as the complexity of reconstructing the secret from its shares are 
directly related to the size of the formula. 

2 Preliminaries 

To begin with, we must formally define the necessary access structures. 

Definition Given a set P, a monotone access structure on P is a family of subsets 
A C 2 P such that 

A 6 A, A C A' C P => A' G A. 

Definition Let P be a set. The set V of variables indexed by P is the set V = 
{v p :pEP}. 

Definition Given a monotone function F on variables indexed by a set P, the 
access structure defined by F is the set of subsets of A of P for which F is true 
precisely when the variables indexed by A are set to true. 

It is clear that for every monotone function F, the access structure denned by 
F is a monotone access structure. 

Definition For a given set P and an monotone access structure A on P, define 
!F{A) to be the set of monotone formulae on \P\ variables such that for every formula 
F € ^F(A), the output of F is true if and only if the true variables in F correspond 
exactly to a set A & A. 

Note that F, F' G F(A) implies that F and F' denote the same function. They 
may, however, represent entirely different formulae to express this function. 
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3 Generalized Secret Sharing 

We can now begin to define secret sharing schemes. We start with a standard 
definition for threshold schemes. 

Definition Given a set 5 of possible secret values, a (k, n)-threshold scheme 
on S is a (randomized) method of dividing each s € S into an array of shares 
[si, 52, • • ■ , s n ] with each s,- £ S such that 

1. Given any set of it or more of the s;, the secret value s is easily reconstructible. 

2. Given any set of fewer than k of the s,-, the secret value 5 is completely 
undetermined in an information theoretic sense. 

Shamir's polynomially based threshold scheme (see [Sham 79]) satisfies the above 
definition whenever \S\ is a prime greater than n. It is not hard to remove the 
restriction that |5| be prime by, for instance, factoring \S\ and using Chinese re- 
maindering to encode secrets and shares. This kind of encoding, however, requires 
that all prime factors of \S\ be greater than n. 

Other threshold schemes have been suggested by Blakley ([Blak79]), Asmuth 
and Bloom ([AsB180]), and Kothari ([Koth84]), for example. 

We want to show that no threshold scheme is sufficient to realize secret sharing on 
general monotone access structures. To do this, we show that there is no threshold 
scheme (even using weighting or multiple shares) such that the access structure 
((A A B) V (C A D)) can be achieved. 

Theorem 1 There exist monotone access structures for which there is no threshold 
scheme. 

Proof: 

Consider the access structure A defined by the formula 

((A A B) V (C A £>)), 

and assume that a threshold scheme is to be used to divide a secret value s among 
A, B, C, and D such that only those subsets of {A,B,C,D} which are in A can 
reconstruct s. 

Let a, b, c, and d respectively denote the weight (number of shares) held by each 
of A, B, C, and D. Since A together with B can compute the secret, it must be 
the case that a + b > t where t is the value of the threshold. Similarly, since C and 
D can together compute the secret, it is also true that c + d > t. 

Now assume without loss of generality that a > b and c > d. (If this is not the 
case, the variables can be renamed.) Since a + b > t and a > b, a + a>a + b>t. 
So a > t/2. Similarly, c > t/2. Therefore, a + c>t. 

Thus, A together with C can reconstruct the secret value 5. This violates the 
assumption of the access structure. ■ 
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Definition For a given threshold scheme, we use $k(s;pi,p 2 , ■ ■ - ,p n ) to denote the 
random function which assigns shares [si, s 2 , . . . , s„] of a secret value s to trustees 

Pi, P?, • •• ,Pn- 

For certain access structures, every generalized threshold scheme must be able 
to assign multiple shares to each trustee (see theorem 3). In this case, we use Sij 
to denote the j th share given to trustee pi. 

Definition Given a set P and a monotone access structure A on P, a generalized 
secret sharing scheme for A is a method of dividing a secret s into shares s,j such 
that 

1 . When A e ,4, the secret s can be reconstructed from the shares U U s i,j ■ 

i€A j 

2. When A £ A, the shares \J [j s tJ - give (in an information theoretic sense) no 

i€A j 

information whatsoever about the value of s. 

We now define a generalized secret sharing scheme which satisfies the above 
definition. 

Assume that the secret domain 5 is fixed to be the set {0, 1, . . . , m — 1} for 
some positive integer m. We can now formally define the generalized secret sharing 
scheme described in section 1. 

Let $(5, F) be the random function for s 6 S and a monotone formula F defined 
as follows. 

• $(5, Up) assigns the share s to trustee p. 

• $(i,AVB)=$(s,A)Ul(s,B). 

• $(5, A A B) — $(si, A) U $(s 2 ,B), where Si and s 2 are uniformly chosen from 
the secret domain S such that s — (si + S2) mod m. 

If operators are allowed to have more than two arguments and if THRESHOLD 
operators are to be used, we add the following. 

. $(s,V(F 1 , J F 2 ,... > F n )) = U %(s,Fi) 

l<i<n 

• $(s,f\(Fi,F2,...,F n ))= U ^{si,Fi), where the s; are chosen uniformly from 

l<i<n 

S such that s = (J2i=i s <) mod m. 
. THRESHOLD*^, F 2 ,...,F„))= [j $(s„F t )> 

l<.'<n 

where $jt(-s;pi,P2, ■ ■ - , Pn) = [s\, s 2 , . . . ,s n \. 

We now show that for every monotone access structure A and every monotone 
formula F € J-(A) 1 the secret sharing scheme defined by %{s,F) satisfies the defi- 
nition of a generalized secret sharing scheme. 
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Theorem 2 Let P be a set and let A be a monotone access structure on P. Let 
F be a member of J-"(A), and let s be a secret value in S = {0, 1, . . . ,m — 1}. The 
secret sharing scheme defined by F) is a generalized secret sharing scheme for 
A. 

Proof- 
It is easy to see that for any set A E A, the shares belonging to the members of 

A are sufficient to reconstruct the secret value s. 

To see that if A A then the shares belonging to the members of A give no 

information about the secret value s, we use induction on the number of operators 

of the formula F. 

A formula with no operators consists of a single variable v v . The access structure 
defined by v p is the set of subsets of P which contain the trustee p. Thus, $(5, v p ) 
gives the secret value s to p alone and therefore allows only those sets of trustees 
which include p to determine s. 

A monotone formula F with d > 0 operators can always be written in the 
form o(Fi, F 2 , ... , F n ) where o is one of V, A) THRESHOLD^, and where each of 
Pi, F 2 , ■ ■ ■ , F n is a monotone formula with less than d operators. 

If the operator o is V, then $(s, Fi , F 2 , ■ ■ . , F n ) is the union over i of Fi). By 
the inductive hypothesis, for each i, the members of a set A of trustees which is not 
in the access structure A can obtain no information whatsoever about the value of 
s from the values of the shares of $(5, Fi). Since for i ^ j, the shares of Fi) are 
chosen completely independently of the shares of $(s, J*}), no joint information is 
possible, and therefore, the shares of F) held by the members of an A not in A 
give no information at all about s. 

If the operator o is A, then $(s, Fj, F 2 , . . . , F n ) is the union over i of Fi), 
where the s,- are chosen uniformly according the constraint that s = (]C"=i s <) mod 
m. For each set A of trustees not in A, there must be some i such that the shares 
of $(sj,Fi) held my members of A give no information about S{. (If this were not 
the case, then A would be in the access structure A.) Since the shares given in 
each sub-formula are independent, this implies that the sum s = (J27=i s <) m °d m 
is completely undetermined by the shares held by the members of A. 

Finally, if the operator o is THRESHOLD^, then $(s,Fi,F 2 , . . . ,F n ) is the union 
over i of $(si, Fi), where the s,- are assigned according to the threshold scheme Si by 
$k(s; Fi,F 2 , . . . , F n ) = [si,S2, . ■ ■ , s n ]. By assumption, a threshold scheme $t allows 
sets of fewer than k shareholders to obtain no information at all about the value 
of s. If A is a set of trustees not in A, then the members of A can obtain direct 
information about fewer than k of the s,. Again by independence, the shares held 
by the members of A provide no information whatsoever about the value of s. | 

Finally, we show that there are access structures which cannot be realized with- 
out giving multiple (or extra large) shares to some trustee. 
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Theorem 3 There exists access structures for which any generalized secret sharing 
scheme must give some trustee shares which are from a domain larger than that of 
the secret. 

Proof: 

Consider the access structure A defined by the formula 
((A A B) V (BAC) V {CAD)), 

and fix a value a to be the share held by A. 

Let bi,. . . ,b m represent the set of possible shares available to B. Since A and B 
are together sufficient to compute the secret value s, each share determines exactly 
one possible value S{ of the secret s. Also, since the share a alone is insufficient to 
give any information about the secret value s and since the number of possible 
values of s is equal to m (the number of possible values of the share held by B), 
every possible secret value Si is determined by a together with exactly one value 

Thus, for each a, we can construct a set of m pairs (5;, bi) which are consistent 
with a and such that each possible value of the secret and each possible value of 
J3's share appear in exactly one such pair. 

Now consider the possible value of the share held by C. Since B and C are 
together sufficient to compute the secret value 5, and since each 6,- can be matched 
with exactly one value to form the secret 5,-, there is exactly one value c t - consistent 
with each pair (s;,6;) in the set. (Note that the c, are not necessarily distinct.) 

If any two of these c, are distinct, then considering the value held by A together 
with the value held by C would eliminate at least one of the possible consistent 
pairs and thereby eliminate at least one of the possible values of the secret s. But 
A and C are together not sufficient to determine any information about the value 
of the secret s. Thus, the value held by C must be completely determined by the 
value held by A. 

Now since C and D are together sufficient to compute the secret value s, the 
value held by C together with the value held by D is sufficient to compute the 
secret value 5. However, the value held by A completely determines the value held 
by C. Thus, the value held by A together with the value held by D is sufficient to 
compute s. This violates the premise that A and D are insufficient. | 

4 Generalized Secret Sharing Homomorphisms 

In [Bena86] and [Bena87], Benaloh describes a homomorphism property that is 
present in many threshold schemes which allows shares of multiple secrets to be 
combined to form ''composite shares" which are shares of a composition of the 
secrets. Such secret sharing homomorphisms also apply to the generalized secret 
sharing scheme presented here. 
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For instance, if the shares of a secret value x (drawn from a fixed secret domain 
S = {0, 1, ... ,m — 1}) are added to the corresponding shares of a similarly chosen 
secret value y, then the sums represent shares of the value (i + y) mod m. 

The applications of secret sharing homomorphisms includes fault-tolerant ver- 
ifiable secret-ballot elections as well as verifiable secret sharing. The methods of 
verifiable secret sharing developed for threshold schemes in [Bena86] and [Bena87] 
and also by Feldman in [Feld87] can be used for generalized secret sharing too. The 
approach used by Feldman is actually somewhat better suited to these purposes. 
Here, the secret is distributed in such a way as to enable each trustee to, with- 
out further interaction, verify that its share is a well-formed and valid share of the 
secret. 

The main requirement of these schemes is the presence of an appropriate homo- 
morphism property, and the homomorphism property described above turns out to 
be sufficient. 

5 Conclusions 

This paper has shown how generalized secret sharing can be achieved in a method 
which is simpler and more efficient than in any previous scheme. There are, however, 
many cases in which this method is still unable to be applied efficiently. 

For any given polynomial P, the number of n-variable monotone formulae of 
size no more than P(n) is exponential in P(n). However, the total number of 
monotone functions on n variables is doubly exponential in n. Therefore, most 
monotone access structures cannot be realized with a polynomially large number of 
polynomially sized shares. 

Further methods of secret sharing which can efficiently realize additional access 
structures and an analysis of precisely what access structures can be efficiently 
realized are interesting areas for future research. 
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Abstract 

Assuming the existence of a secure probabilistic encryption scheme, we show that every language 
that admits an interactive proof admits a (computational) zero-knowledge interactive proof. This 
result extends the result of Goldreich, Micali and Wigderson, that, under the same assumption, 
all of NP admits zero-knowledge interactive proofs. Assuming envelopes for bit commitment, 
we show tht every language that admits an interactive proof admits a perfect zero-knowledge 
interactive proof. 



1. Introduction 

Suppose Bob is polynomially time-bounded, but Alice has unlimited computational resources. If 
(j> is a satisfiable boolean formula, Alice can certainly convince Bob of this fact; she could send 
Bob a message y describing a satisfying truth assignment for <f>, and Bob could check that y does 
indeed specify a satisfying truth assignment. In other words, the language L of satisfiable boolean 
formulas is in NP. 

The interaction between Alice and Bob in this example is very simple: Alice sends a single 
message to Bob, and no other messages are sent between the two. If <f> is satisfiable, there is some 
message y that Alice might send which will convince Bob to accept. But if <j> is not satisfiable, 
then no message that Alice might send will convince Bob to accept. 

In the paper of Goldwasser, Micali, and RackofF [GMR], the authors extend the scenario 
above in two ways, to arrive at the notion of an interactive proof for the language L. First, 
the interaction between Alice and Bob is allowed to be more complicated, with Alice and Bob 
exchanging multiple messages. Secondly, Alice and Bob are taken to be probabilistic, and Bob 
may occasionally accept or reject erroneously. It is required that if an input is in L, then Alice 
can behave in such a way that Bob will almost always accept; but if an input is not in L, then, 
no mater what messages Alice sends, Bob will almost certainly reject. 

A different notion of provability "beyond NP" was independently proposed by Babai [Bab]. 
This notion is called an Arthur- Merlin protocol. Babai's model is similar to that of [GMR], 
but is seemingly more limited, because the verifier is required to reveal to the prover all of his 
coin flips (right after making them). Though this loss of privacy seems an important restriction, 
Goldwasser and Sipser [GS] show that, in fact, the models are equivalent with respect to language 
recognition. 

Let IP be the class of languages that admit interactive proofs. Clearly NP C IP, for 
an iVP-interaction is a special type of JP-interaction, in which the prover (Alice) sends the one 
and only message, and the verifier (Bob) never errs. However, IP may be a much larger class 
of languages. For example, there is an interactive proof known for graph uonisomorphism, even 
though there are not known to be succinct certificates for establishing that a pair of graphs are 
not isomorphic. 
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In this paper, we are concerned with zero-knowledge interactive proofs. A zero-knowledge 
interactive proof for a language L is an interactive proof for L for which, on any input in L, 
the prover divulges to the verifier no significant amount of information except that the input 
is in L. (The notion of zero-knowledge we refer to has sometimes been called computational 
zero -knowledge, to distinguish it from two other notions of zero- knowledge that appear in the 
literature, ■perfect zero-knowledge and statistical zero-knowledge. [Fo]) For example, a zero- 
knowledge interactive proof that <f> is a satisfiable boolean predicate convinces the verifier that <f> 
is satisfiable, but not, say, by exhibiting a satisfying truth assignment. 

Though the models of [Ba] and [GMR] are equivalent with respect to language recognition, 
they are likely not the same with respect to zero- knowledge; zero-knowledge interactive proofs 
frequently make use of the verifier's ability to have secret coins. 

It might seem that requiring an interactive proof be zero- knowledge is generally too much 
to hope for; one might expect that relatively few languages with interactive proofs admit zero- 
knowledge interactive proofs. This was shown to probably not be the case in a paper of Goldreich, 
Micali, and Wigderson [GMW1], Here the authors show that, assuming the existence of a secure 
probabilistic encryption scheme, every language in NP admits a zero-knowledge interactive proof. 

We generalize this result to establish that, under the same assumption, every language that 
admits an interactive proof admits a zero- knowledge interactive proof. 

A brief note on the history of this theorem. The result was stated in [GMW1], attributed to 
Ben-Or; this proof was never published. A published sketch of a proof appears in the CRYPTO- 
87 paper of Chaum, Damgard, and van de Graaf [CDG]. However, the result seems to require a 
stronger assumption, such as a pair of claw-free trapdoor functions. We have been learned [I] that 
Russell Impagliazzo and Moti Yung independently and by different methods had a proof of this 
theorem, which will appear in journal-form shortly [Yu]; their work is sketched in [IY]. 

In this paper, we will point out some subtleties involved and formally prove the theorem. We 
then discuss the "physical model" in which a bit can be committed by putting it in an envelope, 
and we show how to obtain perfect zero-knowledge proofs for IP under this model. The technique 
used here is different from the method that employs encryption. (The proofs of [IY] and [CDG] 
can be adapted to the envelope model, as well, as pointed out by [Br] and [Yu].) 

The paper is organized as follows. Section 2 gives the preliminaries needed to understand 
the main theorem, including both definitions and well-known or technical results. The reader 
familiar with this area might skim or skip this section. Section 3 is devoted to the proof of the 
main theorem. Section 4 shows how to obtain perfect zero- knowledge proofs for languages in IP 
in the model in which a bit can be committed by putting it in an envelope. The remainder of this 
section is an informal overview of the proof of the main theorem. 

1.1. Overview of the construction 

We wish to show that, if (P V) is an interactive proof system for the language L, then P and 

V can be modified to P' and V , such that (P' «-> V) is an interactive proof system for L, but 
P' is zero -knowledge over L. 

Suppose (P*~* V) is an interactive proof system for the language L. We would like to carry 
out the "same interaction" in a way that betrays essentially no information to V. To do this, 
we could have P encrypt each message that it sends to V. That is, P uses a secure encryption 
function, E. On the ith round, when P "would have" sent to V the string y,-, P instead sends to 

V the string 2?(y,-, <f,), a random encryption of y,. (We assume that E(x,s) = E(y,t) implies 
x — y, and that from E(x,s) and s one can efficiently compute x. Security is with respect to 
nonuniform poly-time computation.) 

There are two immediate difficulties. First, how can V be expected to compute his responses 
to P, since he doesn't understand what P has sent? Second, how can V be convinced to accept 
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the string x if, as far as he can tell, P has sent him complete gibberish? 

The first problem — that V won't know what to do with the messages he's received — is 
answered as follows. By the result of Goldwasser and Sipser [GS], there is an Arthur-Merlin 
protocol, (M<-* A), for the same language, L. In (Mt-»A), Arthur sends only his coin flips, so 
Arthur needn't understand the messages he's received in order to respond. 

The second problem — that Arthur can't tell whether or. not he ought accept — is answered 
as follows. If Arthur could guess the encryption keys, <f i , c?2 , • - • , he would have no problem 
knowing whether or not to accept, for he could decrypt each message sent by Merlin and accept 
or reject based on the same predicate he would have used had the conversation been carried out 
unencrypted. Of course, Arthur can't be expected to guess d\ , d.2 , . . ., but the statement "If you 
guessed di,d%, . . ., you'd accept x based on this interaction" is in NP. Since, by [GMWl], all of 
NP can be proven in zero-knowledge, there is a way for Merlin to convince Arthur of the validitity 
of this statement that is in zero-knowledge. 

The construction just given has the following defect: 

To show that (M A) is a zero- knowledge proof system for L, we need to argue that any 
A* learns essentially nothing by interacting with M . Suppose A* cheats by flipping a biased coin 
in place of his random tape, with bias, say, p = 3/4. If A* several times interacts with M on a 
common input x £ L, and if M usually convinces A* to accept, then, intuitively, A" has learned 
something: that most strings taken from this distribution lead to accepting x when used for A's 
random coins. This is "real knowledge," for it is entirely possible that even though M usually 
convinces A to accept if A uses a fair coin, M usually fails to convince A to accept if A uses a 
3/4-biased coin. 

(If we tried to prove that M is zero- knowledge, here's where we'd get stuck. The simulator 
Ma' simulates the behavior of a "virtual prover," P", interacting with A". On common input 
x £ L, P" sends random encryptions of the appropriate length string of O's. When this phase of 
the interaction is finished, we append a simulated proof that Arthur would accept if he correctly 
guessed di,d%, . . ,. But it is not always appropriate to append this simulated proof! For in the 
real interaction, (M *-* A m ), A* sometimes rejects strings in L. Quite possibly, A" has chosen a 
distribution of strings for which A would usually reject strings in L. So if P* always appends 
the simulated proof that Arthur would accept, the resulting view may significantly differ from 
the real view of the interaction. But P* has no way to know if it ought or ought not send the 
simulated proof.) 

One possible fix is to use the result of Goldreich, Mansour, and Sipser [GMS], which says 
that we may, without loss of generality, take (M «-► A) to be one-sided. That is, we may 
assume that regardless of the coins that A employs on x £ L, A will be convinced to accept x. 
(Consequently, it will always be appropriate for P* to convince A* to accept in the simulated 
interaction.) This is the course that we shall follow. 

Another possible fix is to use a "coin flip into the well" for A's coins ([Bl]). To make this pro- 
posal work, it is necessary that the coin flips that are agreed to are statistically indistinguishable 
([Foj) from truly random coin flips. 

It is important that, in our formulation, independent encryption functions are, effectively, 
used on each round of the interaction. For example, we can not prove that it will be zero- knowledge 
for the prover to choose a public key encryption algorithm, E, with decryption algorithm D, send 
E to the verifier, and then send a random encryption of t/,- under E, when y, would otherwise be 
sent. (The verifier is convinced via the assertion, "If you guessed D, you'd accept the correspond- 
ing unecrypted conversation.") 

(Here is the problem with such a scheme: Merlin, having received strings X\, ■ ■ ■ , X; from 
A*, computes yi by a probabilistic function of (x, X\ , . . . , i,). Thus yt is drawn from a probability 



40 



space Ri which A* has some influence over. The encryption function is secure, so (xi, . . . , Xi) 
can be only slightly correlated to D. But a weak correlation of (x, xi , . . . , Xi) to D may result 
in Ri being strongly correlated to D, for M is not necessarily polynomial time. In fact, 
there is no reason to assume that Ri is not precisely the space that A* wants it to be. But we 
mustn't allow A" to have such strong influence over Ri; what if A* forces Ri to be the space, 
say, with unit probability mass on D? Then Merlin sends Arthur E(D) (a random encryption 
of the decryption function). This possibly compromises the the encryption function. In general, 
we worry that A* may be able to select a space Ri for Merlin such that taking y; from Ri and 
encrypting t/j under E compromises E.) 

In any case, requiring a public key cryptosystem is a stronger assumption than the com- 
mitment scheme E(msg,rand) that we require. 

2. Preliminaries 

2.1. Interactive proof systems 

The definition we give for an interactive proof system is essentially that of Goldwasser, Micali, 
and Rackoff [GMR]; see this paper for a more complete discussion of interacting Turing machines 
and interactive proofs. "It does not significantly effect the model if one assumes that the prover 
never halts, the verifier sends the first message, and communication is done on a single communi- 
cation tape. We build these assumptions into the definition: 

An interactive proof system, (P <-» V), consists of a pair of probabilistic Turing machines, P 
and V , with common alphabet E. P and V each have distinguished start and quiescent states. 
V has distinguished accept and reject states, out of which there are no transitions. P and V 
operate on various one-way infinite tapes: 

• P and V have a common read-only input tape. 

• P and V each have a private random tape, and a private work tape. 

• P and V have a common communication tape. 

• V is polynomially time-bounded. This means that there is a polynomial p for which, on 
inputs of length n, V experiences at most p(n) state transitions before it accepts or rejects. 
V does not transition when it is quiescent, and P is running. 

• P is finite expected time. This means that there is a function / such that, on inputs of 
length n, P's expected computation time from start to quiescent states does not exceed 
f(n), regardless of the messages P has received. 

• There is a polynomial r such that P never writes more than r(n) characters (including 
blanks) on the communication tape when the common input is of length n. 

Execution begins with P in its quiescent state and V in its start state. V's entering its quiescent 
state arouses P, causing it to transition to its start state. Likewise, P's entering its quiescent 
state causes V to transition to its start state. Execution terminates when V enters its accept or 
reject state. 

If P and V are given random tapes u,t £ respectively, and are then run on input 
x 6 with work tapes initially empty, then the final state that V enters is well-defined, and 
we say that (P a V T )(x) accepts or rejects accordingly. If we omit mention of a and r, then 
we may speak of the "probability that (P<-t-V)(x) accepts," Pr[(P <-»■ V){x) accepts]. 

Definition. (P<-» V) is an interactive proof system for the language L if, for some 0 < e < 
1/2, we have both: 

completeness: x£L => Pr[(P *->V)(x) accepts] > 1 - e, and 

soundness: (VP*) x & L Pr[(P* <-* V)(x) accepts] < e. 
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(P <-+ V) is a one-sided interactive proof system if, in place of completeness, we have: 
perfect completeness: x€L => Pr[(P t-*V)(x) accepts] = 1. 

That is, a one-sided interactive proof always accepts x when x 6 L, regardless of the 
contents of the random tapes. 

The number e in this definition is called the error probability. By the standard method 
of running the protocol multiple times, we may take the error probability to be any constant in 
(0, 1] — or even any error probability of the form e(n) = 2~ p ' n ', where p is a polynomial. 

In order to extend our discussion to speak of knowledge, we consider the possibility that 
V's work tape initially contains "some knowledge." Suppose P and V are given random tapes 
a, t € S", respectively, and are run on input x £ £*, with s £ S* initially placed on V's work 
tape. Then not only is the final state of V well-defined, but so are: 

• The number of rounds, 2m, for which P and V interact. (The number of rounds is the 
number of messages sent between A and B.) 

• The ith message sent from V to P, Xj. (A message is a prefix of the communication tape, 
from its left end to the first blank). 

• The ith message sent from P to V , y;. 

• The (finite) prefix r 0 of t that V reads. 

That is, (P, V,ff,T,x,s) determine the number m and strings x = X\\ . . . ; x m ;, y — yi\ • ■ ■ \ Vm'ti 
as above. We define from these the public history of the interaction and the view of the interac- 
tion: 

[x,x, y], 

[x, S,To,27]. 

Interpret the right hand side of each of these definitions as the binary encoding of the specified 
string, where '[', ';' and ',' are new (formal) symbols. 

Informally, the public history is the interaction as it would be observed from the "outside;" 
the view is the interaction as seen from V's perspective. 

If we omit mention of a and r, then (P V)(x, s) and (P V)(x, s) are probability 

spaces. (P <^-+ V) and (P V) (no mention of x or s) are families of probability spaces. 

2.2. Arthur-Merlin protocols 

In the definition for an interactive proof, the verifier was not compelled to reveal his coins 
flips (the prefix -of his random tape that he uses) to the prover. If the verifier does reveal his 
coin flips at each round, there is no reason for him to send anything else, since the prover himself 
could as well compute anything else the verifier would have sent. A seemingly weaker notion of an 
interactive proof, introduced by Babai [Ba] [BaM], is obtained by limiting the verifier's messages 
in this way. 

Definition. An interactive proof for L, (M *-* A), is an Arthur- Merlin protocol if for some 
polynomials r and /, any interaction between M and A on an input of length n takes exactly 
r(n) rounds, each message sent being of length l(n). Moreover, the r(n) messages sent by A, 
Xi, . . . , x r („j, are precisely the prefix t 0 = Xj . . . x r („) of A's random tape that A consumes. 

The first condition alone is easily seen not to weaken the model from that of an interactive 
proof system. Surprisingly, the second condition does not weaken the model either: 



(P„£^V T )(x,s) = 
(P a v ^V r )(x,s) = 
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Theorem 2.1. If (P *-»• V) is an interactive proof system for L, then there is a one-aided, 
Arthur-Merlin protocol (M *-* A) for L. 

The result without "one-sided" is due to Goldwasser and Sipser [GS]; it was extended to 
proofs of perfect completeness by Goldreich, Mansour, and Sipser [GMS]. Recently, J. Kilian [K] 
discovered a much simpler argument for Theorem 2.1. 

2.3. Zero-knowledge 

C„ £ S* (n € N), C = {C„} is a poly-size family of circuits if there are polynomials p 
and q such that \C n \ < P( n )> anc * ^» encodes (via some fixed universal Turing machine) a 
(deterministic) algorithm which, on input x € £*, requires at most q(\x\) steps before it outputs 
a bit, 0 or 1. 

If C is an algorithm that outputs a bit, and R is a probability space, then we may speak of 
"the probability that C outputs a 1 on input drawn from R," p§ = ^^gg- P r R({ ff }) " C(cr). 

We define zero- knowledge in terms of families of probability spaces indexed by two variables, 
which are treated differently. 

Definition. Let R = {i?(a:,s)} and S = {S(z,s)} be families of probability spaces, indexed 
by E* X E*. Then R and S are indistinguishable over L if, for any poly-size family of circuits 
{C„}, any polynomial q, and all sufficiently long x in L, 

\Pr(x,.) Ps(,,m)\ < g (|j.|) 

for all s 6 E*. If J? and S are indistinguishable over L, we write R =l S to denote this. 
Definition. P is zero-knowledge over L if, for any V, there exists an expected polynomial-time 
algorithm My such that (P (""f V) =£, My-. 

Definition. (P +-» V) is a zero-knowledge interactive proof system for L if (P <->■ V) is an 
interactive proof system for £, and P is zero-knowledge over L. 

We have defined indistinguishability with respect to poly-size families of circuits. In the 
proof of the main theorem, it will be convenient to think of indistinguishability with respect to 
poly-size families of probabilistic polynomial time algorithms. As with circuits, this is a non- 
uniform concept; there may be no algorithm which, on input n, outputs the expected poly-time 
algorithm C„. By an averaging argument, and exploiting nonuniform ity, it is easy to see that 
the notion of indistinguishability is unchanged if we define indistinguishability with respect to 
poly-size families of circuits, or with respect to poly-size families of probabilistic polynomial time 
probabilistic algorithms. 

2.4. Preliminary results 

It is frequently convenient to assume that, when P and V interact, the interaction takes place 
for a fixed number of rounds, messages are of a fixed length, and V uses a fixed number of coin 
flips per round. The following proposition says that there is no loss of generality in making these 
assumptions. The proof is straightforward and has been omitted. 

Proposition 2.2. If (P <-> V) is a (zero-knowledge) (one-sided zero-knowledge) interactive 
proof system for L, then there exists an P' , V , and polynomials r, I, t, such that (P' V) is 
a (zero- knowledge) (one-sided zero-knowledge) interactive proof system for L, and on each input 
of length n, the interaction runs for exactly r(n) rounds, each message exchanged of length l(n), 
and V flipping precisely t(n) coins for each message that it sends. C> 
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With respect to language recognition, we may further assume that the prover is determin- 
istic. This observation (actually, that PSPACE was enough for the prover), was first made by 
Feldman [Fe]. 

Proposition 2.3. If (P <-> V) is an interactive proof system for L, then there is a deterministic 
P' for which (P' V) is an interactive proof system for L. If (P <-> V) was an Arthur- MerJin 
protocol, then so will be (P' *-+V). 

The next proposition depends on the fact that the "composition" of zero- knowledge inter- 
active proofs remains zero-knowledge. A proof of Proposition 2.4 can be found in the paper of 
Tompa and Woll [TW], 

Proposition 2.4. If L admits a (one-sided) zero-knowledge interactive proof, then L admits a 
(one-sided) zero-knowledge interactive proof with error probability e for any 0 < e < 1/2. 0 

To state the next lemma — which conceptually simplifies the argument of the main result — 
we define the composition of two interactive proof systems, (Pi <-+ Vi) and (P 2 «-» V2). Let us 
assume that the former always uses rounds on any input x, and that each message is of 

length Z(|a:|). (By Proposition 2.2, this entails no loss of generality.) ((P 2 o Pi) <-+ (V2 o Vi)) is 
defined as follows: Initially, Pi o Pj and V 2 o Vi, acting on common input x, behave like Pi and 
Vi, respectively, acting on common input x. This continues for the first r(|x|) rounds. However, 
P2 o Pi and V? 0V1 each record the public history of the interaction during these r(|:r|) rounds. 
After that, P2 o Pi checks that the public history of the interaction is a public history that could 
arise in a (Pi «-+ Vi) interaction on x. If so, P2 o Pi behaves like P2 acting on input of the public 
history of the preceeding interaction; if not, all future messages of P2 o Pi are the empty string. 
V2 0 Vj continues by behaving like Vj, acting on input of the public history of the preceeding 
interaction. 

The technical lemma we need is 
Lemma 2.5. Suppose (P 2 *-* V2) o (Pi *-* Vj) is an interactive proof system for L. Suppose Pi 

is zero-knowledge over L, and P2 is zero-knowledge over L', where V = (Pi ^ Vi)(L) is the 
set of all public histories that might arise in a (Pi <-* Vi) interaction about a string in L. Then 
P2 ° Pi is zero-knowledge over L. 

Proof: Let ri be the polynomial such that (Pi «-» Vi) uses ri(|x|) rounds on any input x, and 
let I be the polynomial such that each of these messages is of length f(|a;|). 

Let W be any polynomial-time probabilistic algorithm that interacts with P 2 o Pj . We may 
assume that (P 2 oPj^ uses r(|x|) rounds on any input x, where r is a polynomial exceeding 

r>i pointwise. 

We must exhibit an expected polynomial time machine M (of two arguments) for which 
(P 2 o^Sff) = L M. 

Begin by constructing from W machines Wi and W% as follows. W\, on input (x,s), 
behaves exactly like W would behave on (x,s), but only for r!(|x|) rounds. After that, W± 
immediately accepts (or rejects). 

W2 takes as input a pair (x,s), where we assume s = [ z, 3, r, y ], and y is of the form 
t/i ; . . . ; J/m!- 3 is the view of part of a computation of W . W2 runs W, to resurrect the state W 
would be in after the conversation indicated by a. After that, IV2 behaves like W, starting from 
this state. 

Since Pi is zero- knowledge over L, there is an expected poly-time M\ such that (Pi (" e "> 
Wi)= L M x . 

Since P 2 is zero- knowledge over L' , there Is an expected poly-time M 2 such that (P 2 ?— > 
W 2 ) = v M 2 . 
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M is constructed by "composing" Mi and M 2 . On input (x,s), M first runs Mi, to 
compute a string which, without loss of generality, looks like [x,s,Tx,yx]- Next, M runs M^A, 
[x,s,n,yi]), producing a string [A, [x, s, r x , yi], r 2 , y 2 ]- M outputs [x, 3, n^, y*iy 2 ]. 

M(x, 3) can be described as the probability space resulting from performing the following 
experiment: 

[x,s,ri,yi] «- Mi(x,s). 
Experiment M: [a:,s,r 2 ,y 2 ] <— M 2 (A,[i,3,T 1 ,y 1 ]). 

OUTPUT [x^rjr^yi&j. 

JJ(x,.s) = (P 2 o Pj W)(x,s) can be viewed as the probability space associated with the 

following experiment: 

[x,s,Tx,y~x] <- (Px Vx)(x,s). 
Experiment R: [x,s,T 2 ,y 2 \ <- (P 2 «^ V 2 )(A,[x,s,r 1 ,y 1 ]). 

OUTPUT [x,a,TiT4,yiifti]. 
We now have two families of probability spaces, R of "real" prover-verifier interactions, and M of 
simulated interactions. Let's introduce one more, H, of "hybrid" interactions, with the following 
experiment used to define the probability space H(x, $): 



Experiment H: 



view 



(Px^Vx){x,s). 
M 2 (A,[i,s,r 1 ,y 1 ]). 

[X,3,TxT 2 ,yxy2}. 

We now argue that R =£, M. Suppose that this is not the case. Then there is some 
poly-size family C = {C n } and some polynomial q such that 



X,<*,T2,y2 

OUTPUT 



I c M c w 

for infinitely many (x,3 r ) £ix £*. Then either 



> 1 



*K(r,«.) )| ^ 2^|y (!) 

or 

for infinitely many (i,3 r ) £ I X S'. We show that both of these cases are impossible. 
Case 1. ((1) holds infinitely often.) Choose an (x,s x ) for which (1) holds. Single out the coin 
flips used by Vi, and the messages yi, . . . ,y ri (|i|) that P x might send to Vi in the interactions 
defining R(x,s x ) and H(x,s x ). There is a particular sequence of coin flips <t for V t to use, and 
a particular vector of messages r — y x . . .y Tl (\ x \) for Px to use, such that 

\v C, ' [ - v Ct " I > 1 

|^R„,,(i, Jr ) ^H,,,(x, s «)| - 2 9 (|x|)' 

where Ph",,(x,j.) is the Probability that C n outputs 1 when Experiment R is run with a and r 
used for Vi 's coins and Px 's messages, respectively; likewise for p?" , Consequently, we may 
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"hardwire" into C„ the values we obtain from (Pi «-*Vi) interacting on (x,-s r ) using a and r, 
to obtain a circuit which distinguishes (P 2 V2)(x,s x ) from M 2 (x,s x ) by at least l/(2g(|x|). 
The existence of the family of circuits modified as specified here contradicts (P 2 <-+ ViX'i ") =L> 
M 2 (-,-)- 

Case 2, when (2) holds infinitely often, is handled analogously. V 

For completeness, we state the following trivial proposition: 
Proposition 2.6. Let L' CI, UP is zero-knowledge over L, then P is zero-knowledge over 
L'. 0 



2.5. Secure probabilistic encryption 

The prover in our protocol will need the ability to securely commit a bit, and to convincingly 
decommit it. We formalize this by saying that a secure probabilistic encryption scheme is a 
function E : S X S* — ► E* such that 

(1) E is computable in polynomial time. 

(2) Unique decryption: E(f3,x) = E{(3' ,y) implies j3 = ;3'. 

(3) Let E n (0) be the probability space obtained by setting Pr(y) = 2~ n • \{x £ E" : 
E(0,x) = y}\. We require that for any poly-size family of circuits C = {C n }, for any 
polynomial 5, and for all sufficiently large n, 

\pe"„W -PBM) \ < 

(Recall p§ is the probability that circuit C outputs 1 on input drawn from R. Note that to 
achieve the unique decryption condition with conventional encryption schemes, "certified primes" 
must be used [GK][AH].) We write {E n (0)} = N {E n (l)} to denote the security condition. 

Without loss of generality, there is a polynomial q such that \E(f3, x)\ = for all 

x € S*. 

To encrypt a bit /? with security parameter n, select a random n-bit string x and send 
E(0, x). To decommit, reveal x. The unique decryption condition makes it impossible that the 
commited bit could be 1 — /?. Also, from x and E(/3, x) one can easily compute /?. 

To encrypt a string m = &\ . . . fit with security parameter n, send E(/3\, X\) . . . E(0i, X() 
for random n-bit strings X\, . . . ,Xf. The encryption will be denoted £ n (m,x), where x = 
Xi . . . x m , and the corresponding probability space is denoted E n {m). 

A secure encryption scheme exists if there are unapproximable predicates [GM], or if there 
are injective one-way functions [Ya][L][G]. (If / is injective one-way, then there are poly-time 
computable functions /' and a 6 such that fix) = f'(y) implies b(x) = b(y) £ {0, 1}, and no 
poly-size circuit family can predict b(x) given /(x) by better than 1/2 + n~ c , for any constant 
c. Given such /' and 6, E as we have described it can readily be constructed.) 

The crucial property we need of a secure probabilistic encryption scheme is the following: 

Lemma 2.7. Assume the existence of a secure probabilistic encryption scheme. Let {y n } be a 
collection of strings, where \y n \ = l(n), for some nonconsta.nt polynomial I. Then 

{EM} = N {£„(<)'<">)}. 

Proof: Suppose to the contrary that there is a poly-size family C = {C n } and a polynomial q 
such that 

\ o c I ^ 
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for infinitely many n £ N. Pick a particular n for which this holds. Define the strings y* n , for 
0 < t < n, by yj, = y^L^O'^*^. Note y° = 0' (rl \ and y% n) = y n . There exists, then, a j, 
0 < ; < l(n), such that 

ICC ^" 
P £(»i) ~ P £n(!/'„ +1 ) - /(n)-g(n)" 

Note that y£ and yi +1 agree at all positions except the (;' + l)-st where y' n is 1 and y£ +1 is 0. 
Consequently, we may hardwire into C n the values of y£ at each position except the (j + 
to obtain a coin-flipping circuit which distinguishes encyptions of 0 from encryptions of 1 by at 
least l/(/(n)g(n)). Converting to a deterministic circuit, we contradict condition (3) about our 
encryption scheme. Q 



2.6. Zero-knowledge proofs for all of NP 

The following lemma and theorem are due to Goldreich, Micali, and Wigderson [GMWl]. The 
proof of the first of these is omitted. 

Lemma 2.8. If secure probabilistic encryption is possible, then the language of (encodings of) 
3-colorable graphs admits a (one-sided) zero-knowledge interactive proof. 0 

Theorem 2.9. If secure probabilistic encryption is possible, then any language in NP possesses 
a (one-sided) zero-knowledge interactive proof. 

Proof: Take L 6 NP, and let M be a nondeterministic Turing machine for L. Fix a canonical 
transformation <p that takes any (M, x) (the encoding of a nondeterministic Turing machine and 
an input x) to a graphs G. tp is poly-time computable, and has the property that M accepts x 
iff <p(M, x) is 3-colorable. 

To prove x 6 L = L(M) in zero-knowledge, both the prover and the verifier compute the 
graph G — <p(M,x), and engage in a zero-knowledge interactive proof (using Lemma 2.8) that 
G is 3-colorable. C* 



3. Proof of the main theorem 

We now prove the main theorem of this paper: 

Theorem 3.1. Assuming a secure probabilistic encryption scheme exists, every language that 
admits an interactive proof admits a zero-knowledge interactive proof. 

Proof: Suppose L admits an interactive proof. Then, by Theorem 2.1, L admits a one-sided, 
Arthur-Merlin interactive proof (M *-* A). By Proposition 2.3, M may be assumed to be 
deterministic. By Proposition 2.4, we may take the error probability of (Mh A) to be less than 
1/5. 

By Proposition 2.2, (M *-* A) may be assumed to always use r(n) rounds, each message of 
length l{n), when M and A interact with common input x of length n. (r and I are polynomials.) 

We will construct from M and A a zero-knowledge, one-sided interactive proof system 
(P«7)fiwL. 

Suppose Arthur's random tape contains a given infinite string. On input x of length n, 
Arthur only uses the (l(n) • r(n))~bit prefix of this string, x\ ■ ■ ■ x r ( n ), where |x;| = Z(n). Arthur 
sends Merlin X\, ■ ■ ■ , x r ( n j, receiving (interleaved with theses queries) the messages yx, ■ • ■ , y r ( n )- 
Then Arthur accepts or rejects according to the deterministic, poly(rc)-time computable predicate 



Pa(x,x x ,-- ■ ,£,.(„), yi, ■ ■ - ,yr(n)) 
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that he possesses. 

To transform (M*-+A) into (P«-t-V), a zero-knowledge interactive proof system for L, we 
will have the prover, P, behave like M, and the verifier, V, behave like A, with the following 
exceptions: The prover will encrypt each message yi that he sends to the verifier, and then 
convince the verifier that he (V) would accept if he knew the corresponding encryption keys. 

That is, the protocol runs in two phases. In the first phase, if P and V share input x of 
length n, then on round i, when Merlin "would have" sent to Arthur the string yi, P instead 
randomly selects an n/(n)-bit string di and sends to V the string a; = E n (yi,di). For the second 
phase, after all r(n) rounds of the first phase are completed, the prover decides whether or not 
A would have accepted the corresponding unencrypted conversation, a fact which P can easily 
discern using Pa- If A would have accepted, then P convinces V that A would have accepted. 
That is, P convinces V of the validity of the NP-assertion 

(adi,...,^),!/!,...^,.^)) [{E n (yi,di) = c*i for all t) A 

P^x, xi , . . . , Z r („) , I/i , . . . , !/r n )]• 

P convinces V of this assertion by computing a graph G which is 3-colorable if and only if 
the preceding assertion holds, and then convincing V that G is 3-cotorable using the method 
of [GMW1]. Enough rounds are used in this protocol to convince V that G is 3-colorable with 
probability at least 4/5. Note G can be computed by a deterministic poly(n) time algorithm, <p, 
so both P and V "know" G after the first r(n) interactions. 

Let ip be the canonical map (appears in the proof of Theorem 2.9) that takes a tuple 
(x,Xi, . . . , a; r („), Ori, . . . , Otr( n ) ) to a graph G which is 3-colorable iff there is a guess yi, . . . , y r (n)» 
d\ , . . . , d r (n) f° r which oti — E(yi, di) and A would accept the corresponding unencrypted con- 
versation according to Pa- We may assume that is always a power of 2. Though we 
include details of Phase 2 for completeness, it can be viewed as a black box that accepts the pub- 
lic conversation with error probability < 1/5 whenever M would have accepted the corresponding 
unencrypted conversation. 

Protocol for the prover, P (on input i of length n) 

If x £ L, all messages to the verifier are A. Otherwise . . . 

On rounds 1 < i < r(n): PHASE 1 . . . 

- Wait to receive a message Xi from the verifier. 

- If \xi\ ^ all future messages to the verifier are A. Otherwise . . . 

- Compute yi *— M(x, X\, . . . ,Xi). 

- Randomly select di £ £ n '( n) . 

- Send oti = E n {yi, di) to the verifier. 

On round i = r(n) + 1: PHASE 2 ... 

- Compute the graph G = <p(x,Xi,.. . , x r(n) , a x , . . . , a r{n) ) , V(G) = 

- Compute a random (proper, vertex) 3-coloring of G, 9, : V(G) — + {01, 10, 11}. 

- Randomly select d\ , . . . , d\ £S 2 ". 

- Send E n (8i(l), d\), . . . , E n (6i(v), dl) to the verifier. 
For rounds i <— r(n) + 2 to oo: 

- Receive an edge {j, k) from the verifier. 

All future messages are A if receive something not of this form. 

- Send (d} _1 >di -1 ) to the verifier. 

- Select a random 3-coloring of G, di. 

- Randomly select d\ , . . . , d j, £ S 2n . 

- Send E n (9j(l),d\), . . . , E n (6i(u),dj) to the verifier. 
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Protocol for the verifier, V (on input x of length n) 



On round 1: PHASE 1 .. . 

- Read off first i(n) bits of random tape into Xi. 

- Send Xi to the prover. 
On rounds 2 < i < r(n): 

- Receive ttj-i from the prover. 

- Read off next l{n) bits of random tape into X;. 

- Send Xi to the prover. 
On round i = r(n) + 1: 

- Receive a r (n) from the prover. 

- Send A to the prover. 

On round i = r(n) + 2: PHASE 2 ... 

- Compute G = <p(x, x x , . . . , x r(n) , a x , . . . , a r ( n )) , V(G) = {l,...,f}. 

- Receive (a\ , . . . , a' v ) from the prover. 

- If not of this form, reject. 

- Randomly select an edge {j,k} £ E(G). 

- Send {j, k} to the prover. 

For rounds i <— r(n) + 3 to r(n) + 3 + 2m: 

- Receive (d'~ 1 ,d t i~ J ) from the prover. 

- If not of this form, or if it is not the case that for distinct u, v £ {01, 10, 11} is a*- 1 = 

E n (u,4 _1 ), a],' 1 = £»K4'~ 1 )> re i ect 

- Receive arj , . . . , a], from the prover. 

- If not of this form, reject. 

- Randomly select {j, k} £ E(G), and send {j, k} to the prover. 

acceyt . . 

We have three things to check: that V accepts all strings in L\ that V usually rejects 
strings not in L, even if P is replaced by some other probabilistic algorithm; and that P is 
zero-knowledge over L. 

The first two of these claims are easy. Choose x € L, where \x\ = n. Then for any strings 
, we know that A interacting with M would accept when A sends messages 
(x\, . . . , x r („)). Since the interactive proof for graph 3-colorability is one-sided, P will always 
always be able to convince V that A would accept (x, X\ , . . . , x r ( n ), a\ , . . . , Q r (n)) if A knew 
the corresponding endcyption keys. So, in fact, we retain perfect completeness. 

Suppose V is interacting with a corrupt prover, P* , and the common input is x, a string 
of length n, where x g L. The probability that V will accept a string which A would not have 
accepted when given the corresponding unencrypted messages is at most 1/5. But for any x $ L, 
A accepts with probability at most 1/5. Thus V fallaciously accepts x with probability at most 
2/5, so the proof system is sound. 

We now show that P is zero-knowledge over L. By Lemma 2.5, if we prove that P is 
zero-knowledge for the first phase of the interaction, we will be done: the whole interaction is 
the composition of (P <-+ V) restricted to the first phase, with (P «-> V) restricted to the second 
phase, and the second phase is zero knowledge over the output of the first phase. 

Let Pi be the protocol that carries out the first phase of the interaction. Inquiries beyond 
the r(n)-th are answered with the empty string. 



49 



Let W be a probabilistic poly-time algorithm that interacts with Pi. We may assume that 
W flips exactly t(n) coins on each round, where t is a polynomial, and n is the length of the 
common input. 

We may assume that (Pi •*-+ W) always uses exactly r{n) rounds, each message of length 
f(n), when the common input is of length n. 

M\y simulates a "virtual prover," Pi, interacting with W. M\y uses its coins at odd 
positions for Pi's coins, and its coins at even positions for W's coins. Afw, after simulating the 
interaction, outputs the view of this interaction. Note that Mw is polynomial time. 

Here is the protocol for Pi : 

On rounds 1 < i < r(n): 

- Wait to receive a message Xi from the verifier. 

- If \xi\ ^ l(n), all future messages are A. Otherwise . . . 

- Randomly select di € 

- Send £ n (0' (n) ,<f;) to the verifier. 
On future rounds: 

- Send A to the verifier. 

We argue that (Pi <-> W)(-, •) =£ Mw{', ')• The auxiliary string plays no role in the proof 
(other than to be given to W), so we omit further mention of it. Denote the space (Pi 
by S r (| x |), and Mw{x) by So(x). Assume for contradiction that these families of spaces are 
computationally distinguishable over L. That is, there exists a polynomial size family of circuits 
C = {C n } and a polynomial h such that 

L c l»l _ „ c \'i I > 1 
|Ps.(«) Ps, (M) (x)| £ /^i) 

for infinitely many x in L. 

A "probability walk" is now used. Let Sj(x) be the probability space obtained by using 
the real prover, Pi, for the first j rounds with V , and the virtual prover, P x , for the remaining 
rounds. That is, Sj(x) is the probability space defined by the interaction between W and the 
following prover, Pj. 

On rounds 1 < i < r(n): 

- Wait to receive a message Xj from the verifier. 

- If \xi\ ^ l(n), all future messages are A. Otherwise . . . 

f M(x, xi, . . . , xA, ifi<i; 

- Compute yi = | ^ oth J ise 

- Randomly select di € E"' (n) . 

- Send E n (yi, di) to the verifier. 
On future rounds: 

- Send A to the verifier. 

Observe that this agrees with our previous definition of So(x) and S , r (| I |)(x), and that the 
defining algorithms for Sj(x) and Sj+i(x) differ in behavior only on the (j + l)-st round, at 
which point Sj uses Pi while Sj+i uses Pi . 
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By the triangle inequality, there are infinitely many x in L for which there is an associated 
i, 0 < i < r(|x|), such that 

L C I*I _ d Cm l> 

\Psdx) Ps,+i(«)| - r (|i|)-fc(|i|) 

Using C, we construct a poly-size family of expected polynomial time algorithms, C = 
{CJJ, and an infinite collection of strings {z n }, \z„\ — l(n), such that C' n effectively distinguishes 
the probability space E n (z n ) from the probability space Ii/jx 

Choose x £ L, \x\ = n, and i, for which the bound in (1) holds. We show how to modify 
C n to obtain C' n . Let 

I c„ c„ I 

|Ps f (x) Ps i + I (i)| - £ "' 

where e„ > 1 / r(n)h(n). 

Consider the first i + 1 rounds between a prover and W. An f{n) = (i + l)£(n)-bit prefix, 
a, of W's random tape, and strings Qj , . . . , or< that the prover sends to W determine (1) the first 
z + l messages, X\, . . . , Xj+i, that W sends; (2) W's state after this portion of the conversation; 
and (3) the string y,+i that the prover will next encrypt and send to W (recall that the prover 
is deterministic on each round up to the point at which it encrypts). 

Let Sf(x) be the probability space obtained by having P{ interact with W on input x, 
where W's random tape has prefix a. Then 

p 5,(i) - " p Sf{xy 

Similarly, for Si+\. 

Now, by the triangle inequality, 

so there is a particular a G £-^ n ) which achieves 

|pf?(x) ~Psf +1 (x)| ^ € «- 

Fix such a o". For this a, the prover induces a certain distribution on the first i messages 
it sends W, a = ai . . . a,, |a| = g(n) — il(n)q(n), where q(n) is the number of bits needed 
to encrypt a bit under E. Let \ a be the probability that the prover's first i messages will be a, 
Y^\ a = 1. Define Sf' a (x) as the probability space obtained by having Pi interact with W on 
x, where W has random tape prefixed by a, and Pi's initial responses are a. Then 

aGS><"> 

Similarly, for Si+i. 



(1) 



51 



Now, as before 



Ic c I x — ^ t c c 

PSf(x) - Psf +l (z) I - a \ P sl"(x) ~ P S?£(x) I ' 



so there is a particular a 6 which achieves 



\rP" — rP" 

\Ps°- a {x) P S?£{x) 



Now a and a = a x . , . a< determine X\, . . . , Xi+i and such that if the interaction 
determined by a and a is executed, and then d 6 E n ^ n ' is selected at random, and then, either 
case 1: E n {yi+i-> d) is sent to W, or 
case I: E n (0'( n) ,d) is sent to W, 

and then, Pi and W are allowed to continue their interaction (which will last another r(n) — i — 1 
rounds) — if all this is done, then the probability space associated with case 1 and the probability 
space associated with case 2 are distinguishable by C„ by at least e n . 

C' n is a probabilistic polynomial time algorithm that has a and a "hardwired in." C' n begins 
by bringing the state of W up to the state it would be in if its random tape began with a , and 
it received messages ai, . . . , a< from the prover. The messages X\, . . . , Sj+i that W would send 
are determined during this process, and they are recorded. C' n expects a string ttj+i as input. 
This input is fed to W as its (i + l)-st message from the prover. From now on, C' n uses its real 
random tape, and comes up with a query X;+2 for W to have made. However, C' n answers its own 
queries using Pi. This continues until C' n has constructed a complete conversation, 
. . . , (x r („), c* r ( n ))), together with associated coin flips for W (which is a with some random 
(t(n)(r(n) — i — l)-bit string appended). C' n constructs the associated view of the conversation, 
and feeds this to C„ to obtain a bit, 0 or 1. C' n outputs this bit. 

The poly(n) length of a and cr guarantees that C' n is expected polynomial time. And 

|p^(y i+1 ) - Pb"(0'(»))| - e " 

by our construction. 

Set z n = yi+i- The family of probabilistic polynomial time algorithms C = {C' n } (indexed 
by the same infinite set of naturals as in (1)) so constructed constitutes a poly-size family of 
probabilistic polynomial algorithms that distinguishes {(E n (z n )} from {(E n (0'^)} by at least 
e n . By our remark that distinguishability by polynomial size families of probabilistic polynomial 
time algorithms implies distinguishability by poly-size families of circuits, we have contradicted 
Lemma 2.7. Our original assumption — that (Pi W) is distinguishable from Mw — is therefore 
in error. 

That P itself is zero- knowledge follows from Lemma 2.5. The second phase of the inter- 
action depends only on the public history of the first phase of the interaction. Recall that, by 
one-sidedness, whenever x 6 L, A would accept when interacting with M, so the graph G gener- 
ated following the interaction will always be 3-colorable. Since the second phase of the interaction 
is precisely the graph-isomorphism protocol applied to a deterministic poly-time computable func- 
tion of the public history, Lemmas 2.8 and 2.6 tell us that the second phase of the interaction is 
zero-knowledge over the possible public histories. C> 
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4. Notarized Envelopes: Description and Implementation 

The interactive proof that a graph is 3-colorable ([GMWlJ) can be implemented in perfect 
zero-knowledge using envelopes for committing strings. For each vertex, the prover puts into 
a vertex-labeled envelope a slip of paper giving the color of that vertex. These envelopes are 
placed before the verifier. The verifier chooses an edge and the prover allows the verifier to open 
the envelopes for the edge's endpoints. As a consequence of this protocol, all of NP can be 
implemented with envelopes in perfect zero-knowledge. 

It is natural to ask if every language in IP can be proven in zero-knowledge using envelopes 
for commitment. The proof of the preceding section does not immediately give a solution to this 
problem. In this section, we answer this question in the affirmative. 

4.1. Introduction to notarized envelopes 

We now consider a stronger type of commitment scheme, known as notarized envelopes. Nota- 
rized envelopes allow one to commit and decommit a sequence of bits, b\, . . . ,b n , just as with 
ordinary envelopes. However, with notarized envelopes one can additionally prove any single NP 
assertion, P(&i , . . . , &„), during or after the commital stage. In our implementation using or- 
dinary envelopes, this proof is in perfect zero-knowledge. If P(&i,. . . ,6 n ) does not hold (or a 
poly-time bounded commitor does not have a witness of this fact), then the verifier will reject 
with probability at least l/n c , where c is a constant which depending on P. This probability 
may be amplified arbitrarily by standard techniques. 

A notarized envelope scheme may be thought of as a set of three protocols: A commital pro- 
tocol, a decommital protocol, and a zero -knowledge proof protocol. Nearly all of the complexity 
of our implementation comes from the zero-knowledge protocol. 

4.2. An implementation of notarized envelopes 

Our reduction from notarized envelopes to ordinary envelopes is essentially a simplified version 
of Kilian's reduction from notarized envelopes (or, in his terminology, commital with zero- 
knowledge proofs) to oblivious transfer([Kl]). However, our protocol has somewhat different 
properties from Kilian's, due to the fact that we are using envelopes instead of oblivious transfer. 
Using oblivious transfer, one can noninteractively commit bits with zero-knowledge proofs. Our 
scheme requires a constant number of rounds of interaction. It is not hard to show that any imple- 
mentation based on ordinary envelopes must have some interaction, so our solution is optimal up 
to constant factors. Also, our implementation achieves perfect zero-knowledge, whereas Kilian's 
only achieves statistical zero-knowledge. 
Commital and Decommital 

We first present our protocols for committing and decommitting a set of bits, b\, . . . , b n . In 
our protocols, we adopt the convention that Alice commits the bits, and Bob acts as the verifier. 

Protocol Commit(&i ,...,&„) /* Commit &i , . . . , b n */ 

1: Alice uniformly chooses bits x l5 . . . , x<i n subject to 

b{ = X{ © x,_j_ n . 

2: Alice commits the x,'s to Bob, using ordinary envelopes. Bob is allowed to know which 
envelope is supposed to contain which X;. 

Protocol Decommit(i) /* Decommit &; */ 

1: Alice opens the envelopes containing X; and x, + „. Bob computes 6,- = x,- © Xj +n . 
Clearly, Bob gets no information about any of the 6,'s from the commital protocol, and, on 
decommit, Bob only gains information that bit which is being decommitted. 
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Zero-knowledge Proofs 

Our implementation of zero-knowledge proofs is somewhat more complicated. We first 
use the simple observation that it suffices to consider predicates, P, which are in NC 1 ([Kl]). 
Furthermore, given an NC 1 predicate, P(&i, . . - , &„), the predicate P'(xi, . . .,x 2n ) defined by 

P'(xi,...,X 2n ) = P(XI ®X n+ l,...,X n @X2n), 

will also be in NC 1 . Now, if P'(xi, . . . ,X2n) is in NC 1 , then by a theorem of Barrington [Ba], 
there is a polynomial sized width 5 permutation branching programs (W5PBP) for P . 
A branching program B may be thought of a a sequence of triples, 

(ii , 7rJ, ir\), . . . , (i m , -K° m , ir^,), 

and a special element, a. For j € we have ij € and 7rJ,?r} € S$, where S5 is the 

group of permutations on 5 elements. The special element a is also in 5s, and must not be equal 
to the identity. A branching program, B, realizes a predicate P(&i, . . - , b n ) if the product 



m s 



when P(6i , . . . , & R ) is true; 
when P(bi , . . . , b n ) is not true. 



Here, I represents the identity element for S5. Given an NC 1 circuit for P', Barrington shows 
how to construct a canonical branching program which realizes P', which we denote by Bp>. 

We can now describe our protocol for giving zero- knowledge proofs of some NC 1 predicate, 
P. We assume that Alice has committed bits b\, . . . ,b n , generating bits Xi,. . . , x% n - 

Protocol Prove(xi, . . . , x 2n , P) /* prove P(&i, . . . ,b n ) */ 

1: Let Bp, be a canonical W5PBP for P' . We write 

Bp- = {{h^l^D,. . . ,{i m ,^ m ,^m),a) 

Alice computes the sequence A\ A m by 

Aj =*]''■ 

She then uniformly chooses R\, . . . , P m _i, where P t - £ S5. For convenience, we define 
Rq = R m — I. Finally, she computes a new sequence, B\, . . . ,B m , defined by 

B i =R i - 1 A i R~ 1 . 

She then commits Ai,i?j,P,-, for i € [l,m], using ordinary envelopes. 
2: Bob uniformly chooses one of the following three types of queries to make of Alice: 
a: Bob asks Alice to reveal B\,..., B m . He rejects if 



JjB^a. 



i=l 



b: Bob asks Alice to, for some j 6 [l,m], reveal A;, Ri-i, Ri, Bi. He rejects if 

Bi^Ri^AiR- 1 . 
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The values of Rq, Rm are assumed to be J, and thus do not have to be revealed, 
c: Bob asks Alice to, for some j € [1, m], reveal Aj and Xi j . He rejects if 

Ait*?'- 

Remark: The sequence of i?,'s may be thought of as a randomized version of the sequence of 
Ai's. For any choice of Ri, . . . ,R m -i (assuming Rq = R m = I, w e have 

m m 

Furthermore, it is not hard to show that if R lt . . . ,R m -i are distributed uniformly, then the 
sequence B\, . . . , B m will be distributed uniformly over all sequences with the given product. 

We claim that this protocol constitutes a perfect zero-knowledge proof system for P. First 
we show that this is indeed a proof system. 

Lemma 4.1. If P'(xi,. . . ,x 2n ) does not hold, then Bob will reject with probability at Jeast 
l/3m. 

Proof: To simplify our argument, we assume that all of the x^'s are defined, that is, Alice never 
produced any empty or defective envelopes. Clearly, Alice gains nothing by such a tactic. Now, if 

1. UZiBi = a, 

2. (Vt € [l,m])Bi = Ri-iAiRf 1 , and, 

3. (Vietl.mDA,- 
then we have, 

m m 

iK l, =n* 

>=i i=i 

m 

= Bj (by the above remark) 

i=l 
= a. 

Therefore, if P'(xi, . . . ,X n ) does not hold, one of the above three equalities must not hold. If 
equality (1) does not hold, then test (a) will detect always detect this fact. If equality (2) does 
not hold, then test (b) will detect this fact with probability at least 1/m. If equality (3) does 
not hold, then test (c) will detect this fact with probability at least 1 jm. Since each test will be 
invoked with probability 1/3, the lemma follows. 0 

It is not hard to see that our protocol achieves perfect zero- knowledge. Bob is only allowed 
to make a single test, either (a), (b), or (c). If he makes test (a), all he sees is a random sequence 
of elements whose product is a. Tests (b) and (c) allow Alice to get information about Xij , for 
some value of j. However, this will give him no information about any of the bits £>,-, since each 
is represented as an exclusive-or of two of the X;'s. 

4.3. IP in perfect zero-knowledge with envelopes 

The notarized envelope scheme just described gives us zero-knowledge proofs for all of IP: 
Theorem 4.2. Assuming envelopes for bit commitment, every la.ngua.ge that admits an inter- 
active proof admits a perfect zero-knowledge interactive proof. 
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Proof : Let language L be in IP. Let (M <-+ A) be a one-sided Arthur-Merlin protocol for X, 
rejecting strings not in L with probability at least 1/3. We assume without loss of generality that 
there exist polynomials r, / such that on input x € L, where = n, 

1. The protocol (M <-* A) takes r(n) rounds. 

2. Each of Arthur's messages, and Merlin's responses are l(n) bits long. 

3. Arthur's decision predicate is in NC l . (This property is not really necessary, but simplifies 
our proof slightly.) 

We adopt the following notation. The string Ai denotes Arthur's ith message, and M; de- 
notes Merlin's ith response. We denote by a'j the jth bit of Arthur's ith message, and by 
rrij the jth bit of Merlin's ith message. We denote by A(x, Ai, . ■ . , A r („), Mi, . . . , M r ( n )) 
the decision predicate computed by Arthur at the end of the protocol. Given some vector 
A = Ai, . . . ,A r ( n ), and input x, of length n, we define t (M\ , . . ■ , M r („)) to be equal 
to A(x,Ax,. . . , A r ( n ), Mi, . . . , M r ( n )). Any circuit for A can be trivially transformed into a 
circuit for A^ without increasing its size or depth. 

We now exhibit a modified protocol (M' *-* A') which uses envelopes. We claim that this 
protocol will be in perfect zero-knowledge, and will also be a one-sided "weak" proof system for 
L. By "weak " we mean that for any x £ L, A' will accept with probability at most 1 — l/|z| c , 
for some fixed c. 

Protocol (M'<-*A')0) 

1: For i € [l,r(n)] Merlin and Arthur execute the following two steps. Arthur sends Merlin a 
random string Ai. Merlin computes his answer, Mi, and runs protocol commit(mJ, . . . , 
m !(n))- The commital protocol will generate Q = 2r(n)/(n) bits, which we denote by 
Xi, . . .,XQ. 

2: Let A = A\, . . . , A r ( n y The prover executes protocol prove(a:i , . . . , xq, x ). A' 

accepts iff he doesn't reject in protocol prove. 
This protocol is clearly in perfect zero-knowledge, since the commital and proof protocols are in 
perfect zero- knowledge. Since the protocol is one-sided, the prover will always be able to execute 
protocol prove, so this doesn't give any information. 

To see that this protocol remains a "weak" proof, we note that if x (fc L, then with prob- 
ability at least 1/3, -^^(Mi, . . . , M r ( n )) will not hold. This is due to the definition of A^ x , 
and the fact that (M *-* A) is a proof system. In this case, there is some c, depending on A, 
such that A' will reject during the prove protocol with probability at least l/n c . Hence, if 
x £ L, then A' will reject with probability at least l/3n c . This probability of rejection may be 
made exponentially close to 1, maintaining both the one-sideness and the perfect zero- knowledge 
properties, by the. standard trick of running the above protocol many times in succession. 0 

It is interesting that the above proof never uses the ability to decommit notarized envelopes. 
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ABSTRACT 

An interactive proof is called perfect zero-knowledge if the probability distribution gen- 
erated by any probabilistic polynomial-time verifier interacting with the prover on input a 
theorem <j>, can be generated by another probabilistic polynomial time machine which only gets <j> 
as input (and interacts with nobody!). 

In this paper we present a perfect zero-knowledge proof system for a decision problem 
which is computationally equivalent to the Discrete Logarithm Problem. Doing so we provide 
additional evidence to the belief that perfect zero-knowledge proofs exist in a non-trivial manner 
(i.e. for languages not in BPP). Our results extend to the logarithm problem in any finite Abelian 
group. 



1. INTRODUCTION 

One of the most basic questions in complexity theory is how much knowledge should be 
yield in order to convince a polynomial-time verifier of the validity of some theorem. This ques- 
tion was raised by Goldwasser, Micali and Rackoff [GMR], with special emphasis on the extreme 
case where nothing but the validity of the theorem is given away in the process of proving the 
theorem. Such proofs are known as zero-knowledge proofs and have been the focus of much 
attention in recent years. Loosely speaking, whatever can be efficiently computed after participat- 
ing in a zero-knowledge proof can be efficiently computed when just assuming the validity of the 
assertion. 

The definition of zero-knowledge considers two types of probability distributions: 

1) A distribution generated by a probabilistic polynomial-time verifier after participating in an 
interaction with the prover. 

2) A distribution generated by a probabilistic polynomial-time machine on input the theorem. 

Zero-knowledge means that for each distribution of type (1) there exists a distribution of type (2) 
such that these two distributions are "essentially equal". The exact definition of zero-knowledge 
depends on the exact interpretation of "essentially equal" distributions. Two extreme cases are 
of particular interest: 
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Sciences and Humanities. 
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• Perfect zero-knowledge. This notion is derived when interpreting "essentially equal' ' in the 
most conservative way; namely, exactly equal. 

• Computational zero-knowledge. This notion is derived when interpreting "essentially 
equal" in a very liberal way; namely, requiring that the distribution ensembles are polyno- 
mial^ indistinguishable. Loosely speaking, two distribution ensembles are polynomially 
indistinguishable if they can not be told apart by any probabilistic polynomial time test. For 
definition see [Y]. 

1.1. Known Results 

Assuming the existence of one-way permutations, Goldreich, Micali and Wigderson 
showed that any language in NP has a computational zero-knowledge proof [GMW]. Using this 
result one can also show that whatever can be proven through an efficient interactive proof, can 
be proven through such a computational zero-knowledge proof [BGGHMR.IY]. Thus, assuming 
the existence of one-way permutations, the question of which languages have computational 
zero-knowledge proofs is closed. 

Much less is known about perfect zero-knowledge. Clearly any language in BPP has a 
trivial perfect zero-knowledge proof (in which the prover is inactive...). Several languages 
believed not to be in BPP were shown to have perfect zero-knowledge proofs. These includes 
Quadratic Residuosity and Quadratic non-Residuosity [GMR], Graph Isomorphism and Graph 
non-Isomorphism [GMW], and membership and non-membership in a subgroup generated by a 
given group element [TW]. ( It should be noticed that Tompa and Woll's proof of "possession of 
the Discrete Logarithm" is in fact a proof of membership in a subgroup generated by a primitive 
element. So are the proofs given by [CEGP.CG]). 

The complexity of languages which have a perfect zero-knowledge interactive proofs was 
studied by Formow [F] and then by Aiello and Hastad [AH]. They prove that if a language L has 
a perfect zero-knowledge interactive proof system then both L and L have two-step interactive 
proofs. This implies that languages having perfect zero-knowledge proofs fall quite low in the 
polynomial time hierarchy (i.e. as low as nf n Lf ). Using a result of Boppana, Hastad and 
Zachos [BHZ], such languages can also not be NP -complete, unless the polynomial time hierar- 
chy collapses to its second level. 

Perfect zero-knowledge proofs should not be confused with the perfect zero-knowledge 
pseudo-proofs presented by Brassard and Crepeau [BC]. By a pseudo-proof we mean that the 
verifier is convinced only if he believes that the prover is a polynomial-time machine with some 
auxiliary input (which is fixed before the protocol starts), and if some intractability assumption 
does hold. For example, // factoring is intractable then every NP language has a perfect zero- 
knowledge pseudo-proof [BC]. Brickell et. al. presented a perfect zero-knowledge pseudo-proof 
for a problem equivalent to the discrete logarithm problem, assuming the existence of any one- 
way permutation [BCDG]. It should be noted however that the class of languages having perfect 
zero-knowledge pseudo-proof does not seem to have the same complexity as the class of 
languages having perfect zero-knowledge proofs. Furthermore, assuming the intractability of fac- 
toring every language having an interactive proof has a perfect zero-knowledge pseudo-proof, 
and thus the class of languages having such proofs collides with the class of languages having 
computational zero-knowledge proofs. 
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12. Our Results 

In this paper we present a perfect zero-knowledge proof system for a decision problem 
which is computationally equivalent to the Discrete Logarithm Problem. Doing so, we present a 
perfect zero-knowledge proof for a problem which is widely believed to be intractable. Thus, we 
provide additional evidence to the belief that perfect zero-knowledge proofs exist in a non-trivial 
manner (i.e. for languages not in BPP). 

Let p be a prime, and g be a primitive element in the multiplicative group modulo p . The 
Discrete Logarithm Problem (DLP) is to find, given integers p , g and y , an integer x such that 
g x sy mod p. Solving DLP is considered intractable, in particular when p-\ has large prime 
factors. The best algorithms known for this problem run in subexponential time 
(exp{0(^log/? loglogp )}), see Odlyzko's survey [0]. It has been shown that determining 

whether* < is computationally equivalent to finding x, on inputs p ,g and g x mod p [BM]. 

This is the case even if x is guaranteed to lie either in the interval [l,tp] or in the interval 

l^~+l,^-j^-+ep], where 0<e<l/6 is a constant or a function bounded below by (log^y°^\ 

This promise problem is hereby referred to as DLP 1. 

In this paper, we present a perfect zero-knowledge proof for DLP 1. Using the computa- 
tional equivalence with DLP , we have a perfect zero-knowledge proof for a problem considered 
computationally hard. Both our protocol and the computational equivalence of DLP and DLP 1 
extend to any finite Abelian group, in which the group operation can be implemented in 
polynomial-time and the order of the group is known (or can be efficiently found). (In the case of 
acyclic groups, one needs first to define the problems.) 

It should be noted that DLP is always at least as hard as testing membership in a subgroup 
generated by an element of the group. In some cases, for example when p -1 = 2q and q is prime, 
determining membership in a subgroup is easy (see Appendix), while solving DLP in the multi- 
plicative group mod p is considered hard. 

2. PRELIMINARIES 

2.1. Promise Problems and Interactive Proofs 

Loosely speaking a promise problem is a partial decision problem. That is, a decision prob- 
lem in which only a subset of all possible inputs is being considered. 

Formally a promise problem is a pair of predicates (Q Jt ). A Turing machine M solves the prom- 
ise problem (Q Jt ) if for every z which satisfying Q (z ) machine M halts and it answer "yes" iff 
R (z ). When -iQ (z ) we do not care what M does. This definition is originates from [ESY] . 



*) In fact, Blum and Micali proved a much stronger statement. Namely, that guessing this bit with success 
probability greater than V2+Z is as hard as retrieving X [BM], 
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We are going to extend the definition of interactive proofs given in [GMR] to promise prob- 
lems. Intuitively, an interactive proof system for a promise problem (jQ Ji ) is a two-party proto- 
col for a "powerful" prover P and a probabilistic polynomial-time verifier V satisfying the fol- 
lowing two conditions with respect to the common input, denoted z. If Q(z)/\R (z) then with a 
very high probability the verifier is "convinced" of R(z), when interacting with the prover. If 
Q (z ) a -J? (z ) then no matter what the prover does, he cannot fool the verifier (into believing that 
"R (z) is true"), except for with very low probability. When -,Q (z) nothing is required. 

Definition 1: An interactive proof for a promise problem (QJi) is a pair of interacting Turing- 
machines <P ,V>, satisfying the following three conditions: 

0) V is a probabilistic polynomial-time machine which share its input with P and they can 
communicate to each other using special communication tapes. 

1) Completeness condition: For every constant c >0, and all sufficiently long z if Q (z ) a R (z ) 
then 

Prob (V will accept z after interacting with P ) > 1- 1 z 1 ~° . 

2) Soundness condition: For every Turing machine P' , every constant c>0, and all suffi- 
ciently long z if Q (z ) a —iR (z ) then 

Prob (V will reject z after interacting with P* ) > 1- 1 z I " c . 

22. Perfect Zero-Knowledge Proofs for Promise Problems 

Here, again, we are going to extend the definition given by [GMR] to promise problems. 

Definition 2: Let <P ,V> be an interactive proof system for a promise problem (QJi), and V* be 
an arbitrary verifier. Denote by <P ,V' >(z) the probability distribution on all the read-only tapes 
of V* when interacting with P (the prover) on common input z . We say that the proof system 
<P ,V> is a perfect-zero-knowledge for (Q Ji) if for all polynomial-time verifier V* , there exists 
a probabilistic machine My running in expected polynomial-time such that for every z satisfying 
Q (z ) a R (z ) the distributions My (z ) and <P ,V* >(z ) are equal. 

23. The Discrete Logarithm Problem and a Related Promise Problem 

Let p be a prime. The set of integers [l,p-l] forms a cyclic group of p-l elements under 
multiplication mod p which is denoted Z*. The Discrete Logarithm problem (DLP) with input 
p,g andy istofindze [1^-1] such thaty sg z mod p. (We use the notation x=Dlog g y). 

Let y be an element of Z* and let g be a primitive element (a generator). We define the 
Half predicate H as follows: 

H(p,g,y)*>Dlog g y e [^—^Ip-l] 

Let /!=log2/? and let e(n)<y be a fraction bounded below by . We define the follow- 
ing predicate: 

Qs(P<g<y)^g is a generator of Z* p mdDlog g y in [l,e(/i)(p-l)] or [^-+l,^j^-+e(n)(p-l)] 

When it will be clear from the context we will shorten H(p,g,y) and Q t (p ,g,y) by H(y) and 
Q(y) respectively. 
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The promise problem defined by the pair of predicates (Q t Ji) will be called in this work DLP 1. 
Blum and Micali have shown that the DLP 1 is polynomially-equivalent to the original DLP in 
the group Z* [BM]. 

2.4. Notations 

1) Let s and t be two integers such that \<s,t<p-\. [s,t] is denoted the set of integers 
{j,j+1, ■ ■ ,f-l,r} incases</ or • ■ - p-l,l,2,...,t J incase,y>f. 

2) Let S be a set. The notation r e R S means that r is chosen at random with uniform proba- 
bility distribution among the elements of S . 

3. THE PROTOCOL FOR DLP1 IN Z* 

In this section we will introduce a perfect zero-knowledge protocol for the promise problem 
DLP 1. In order to make the protocol more clear we will first introduce a protocol which is per- 
fect zero-knowledge with respect to the honest verifier. 

3.1. Protocol 1 - Perfect Zero Knowledge Proof with respect to the Honest Verifier 

Here is a protocol for the promise problem (Q c (p ,g ,y)J1 (p ,g ,y)) where c is a constant 
such that0<c<l/6: 

common input: The integers p ,g and y as previously defined. 

The following 3 steps are executed n=log^p times (unless the verifier rejects previously), each 
time using independent random coin tosses. 

VI) The verifier chooses at random a bit b e R {0,1} and an integer r e s [l,2c(p-l)]. The 
verifier computes a=y* g r and sends a to the prover. 

PI) The prover computes p=# (a) and sends it to the verifier. 

V2) If p * b , then the verifier rejects. 

If all n rounds are completed without the verifier rejects then the verifier accepts. 

Theorem 1: Assuming c <l/6 then protocol 1 constitutes an interactive proof system for DLP1. 

Proof: Recall that x denoted Dlog g y (i.e y sg x mod p ). 

Completeness: If Q(y)/\H(y) then x s.[^Y~+\,^—+c{p-\)\ and then, according to the 

ranges in which b and r are chosen from, in each round $=H(a)=H (y b g r )=H(j> bl+r )=b . 
Soundness: If Q (y ) a —iH (y ) then we have xe [l,c(p-\)]. Therefore if the verifier chooses b =0 
thenDlog g ae [1,2c (p-1)] and if he chooses b=l then Dlog g a& [x+ljc+2c(p-l)]. In this case, 
for any prover P" we are looking for the probability that V does not reject in a single round: 
Prob (V does not reject)= Prob (P* (a)=b ) 

=Prob(b=0) Prob(F (a)=b 16=0) + Prob(b=l) Prob(P' (a)=b I b=l) 
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=±-Prob(P'(g r X)) + —ProbiP- (yg r >1) 

=\- } 1N ( ZProb(P'(£ i ) = 0) + *Z l \prob(P'(£ i ) = 0)+Prob(P'(g i )=l)) 
2 2c(/>-l) /tl i=I+I 



<l._J_.f 
2 2c(p-l) t 



2c(p-l)fi 
i=2c(p-l>fl 



x-K2c(p-iyx}+x\ 



-+1 



2c(p-l) 
2c(p-\) 



Therefore in n iterations the probability that the verifier will not reject this input is exponentially 
low. (i.e. (3/4)") □ 



Remark: It is clear that this protocol is perfect zero-knowledge with respect to the honest verifier 
V. The simulator M v chooses the random tape for V, and therefore knows the b which V will 
choose and can compute pWf (a>=6 . 



The interactive proof for DLP1 presented above is probably not zero-knowledge with 
respect to arbitrary verifiers: a cheating verifier interacting with the prover may send a's which 
he wants to know //(a), he could also choose r 4 [I2c(p-l)] and get in this way some addi- 
tional information about x. The way to prevent this, is to let the verifier first "prove" to the 
prover that he "knows" H (a). This is done in the following protocol. 

32. Protocol 2 - Perfect Zero Knowledge Proof with respect to Any Verifier 

The previous protocol will be modified. The modification follows an idea of [GMR] used 
also in [GMW] and simplified by [Bh]. However in our case the modification is more complex. 

In the following protocol we provide an interactive proof to the promise problem 
(Q_c_(p >g,y)tf(p,g .y )) where c is a constant such that 0<c <-^-. 

common input: The integers p ,g and y as previously defined. 

The following 5 steps are repeated n =log;>p times (unless the verifier rejects previously), each 
time using independent random coin tosses. 

VI) The verifier chooses at random a bit be R {0,l} and an integer 

+cQ?-l)]. The verifier computes cv=y b g r and sends a to the 

prover. In addition to a he computes n pairs of integers. The i-th pair is denoted a,- and is 
constructed in the following way: The verifier chooses at random e R {0,1} and 
r ii0 /j,ie g[\,c(p-l)]. He computes a,-,o=y Yi ■g r,!f and a,- ,i^y Y,+1 2 ^ r '»-' — 1 and at last 
sets a, =(«,-, o,a,i). The verifier sends the list of pairs to the prover. 



4 



+1, 
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PI) The prover chooses at random, a subset / c {12 n } with uniform probability distribution 

among all 2" subsets. The prover sends / to the verifier. 
V2) If / is not a subset of {1,2 n ) then the verifier halts and rejects. Otherwise, the verifier 

replies with {("ft , r i0 , r u ) : i e /} and {(Y;=Yi +b+\ mod 2, /,=r+r ii6+I ^ 2) : ' e /}. 

(where 7={l,2,...,/i} -/). 
P2) For every i e / the prover checks that a, is constructed according to the protocol, (i.e. 

r i,o> r i,i e [UCp-1)] and a I =Cy 1i y\ y Yi+1 2 g ri ^~ d7 )). He also checks for every i e I 



that /; e [ 



4 



+2, 



4 



+2c(p-l)] and yg '=0-0^^. If either conditions is 



violated the prover stops. Otherwise, the prover computes $=H (a) and sends it to the verif- 
ier. 

V3) If p * b , then the verifier rejects. Otherwise he continues. 

If all n rounds are completed without the verifier rejects then the verifier accepts. 



Theorem 2: Protocol 2 constitutes a perfect zero-knowledge interactive proof system for DLP1. 
Proof: We will first prove that Protocol 2 is an interactive proof for DLP1 and then we will show 
that it is perfect zero-knowledge. Recall again that x=Dlog g y . 
Completeness: Similar to the completeness in theorem 1. 

Soundness: We are going to prove that although a and the list of pairs S={oii • • • ot„ } can give 
information to the prover, there is a big enough probability that a and S will not give him any- 
thing that will help him to convince V that x e [■^^-+1,^^-+ ] when in fact 

L Z rt 



xe[\ 



We call a good if it is constructed using r e [ 



+ ^IUi, 

n 



EzL 
4 



+c0? _ 1) _^zli ] . 



Otherwise a is bad. Intuitively, when a is good the prover can not learn anything about b from 

a, for any x e [1, c( ^~ 1 ^ ] (since in this case Prob(b^0 I y b g r =ay=\). The probability that a 
n 2 



is bad is ■ 



n' 



Similarly we will call a pair ce,- good if both r, 0 and r i , are in [ c ^. ^ +1, c(p-l)- " ^ , w ]. 

n~ n L 

Otherwise a, is bad. The list of pairs S is good if every a, is good, and is bad otherwise. The 



c(p-l) . 
,2 



probability that a pair a, is bad is less than —r ana the probability that S is bad is therefore less 



than 



4n_ 

_2 ' 



We remark here that since P" has infinite power we can assume without loss of generality that P 1 

is deterministic. Therefore for any a and S the prover F always chooses the same subset /, 

denoted/ (a^S). 

Our first claim is the following: 

V good a V good S V/ V/,- Vf, 
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Prob{b=0 I y b g r =xx a f(a,S)=I a Vi 6 / (y ■g r ''=aa i:f , A/^r+r, ^) ) = y 

The reason is that when a and S are good then assigning any value to b yields a unique values to 
all the other variables r , r i 0 and r i X . Thus, assuming I=f(aS), there are only two elements in 
the conditional probability space, one corresponds to 6=0 and the other to b=l. Using this claim 
we will show now that the probability that f will convince V in single round is low: 
ProbiFtaS . (y AfiSiX-i e/(ctf)} . Wi/i'-H f(.aJS)}) = b ) 

<Prob(P'(a,S , {Yi.rj.o.r;,,:; e/(a*S)} , M/.-ii ^/(a^)}) = 6 I a and S are good) 

+Pwb (a is bad or S is bad) 



•2 „2 

Therefore the probability that P* will mislead V (i.e. provide correct |3's) in all n rounds is 
exponentially low. 

Zero-knowledge: For every interactive machine V* , we will present a machine My so that for 
every input satisfying Q(p ,g ,y)/\H(p ,g ,y) then M v -(p ,g ,y)= <P ,V* >(p ,g ,y). The machine 
My uses V* as a subroutine. 

The idea of the simulator My is to cause V* to yield all the information needed for calcu- 
lating H (a). This is done by executing V* several times with the same random tape, so that V* 
will send the same a and S . Machine My will try to get for one of the pairs a,- the information 
{Yi. r .,o.''i,i} in one round and {y*,-,/,- } in another. If this information is constructed according to 
the protocol {My will check it) then this is enough for calculating H{a). 

Following is a detailed description of My. Machine My starts by choosing a random tape 
re R {0,1 } q for V* , where q=poly(\p,g,y I) is abound on the running time of V* on the current 
input (Clearly, V* reads at most q bits from its random tape). My places r on its record tape 
and proceeds in n rounds as follows. 
Round j: 

51) My initiates V* on the input (p ,g mdy) and random tape r , and reads from the communi- 
cation tape of V* the pairs a and <x x ■ ■ a n . My chooses a random subset / and places it on 
the communication tape of V* . My also appends / to its record tape. 

52) My reads from the communication tape of V* {(y,r; 0 ,r, :i ):i e / } and ((/,/;):£ e T). For 
every i e / machine My checks whether y e (0,1}, r iJ3 ,r itl e [\,c(p-\)] and whether 
a,-=(y T '-£ r '- T , y* +1 ' W2 i? ~"). it also checks for every is/ whether 



4 



+2, 



4 



+2c(p-l)] and yg r '=a-a i ^ i . If either conditions is violated 

My outputs its record tape and stops. Otherwise, My continues to step (S3). 

S3) The purpose of this step is to find H (a). This is done by repeating the following procedure 
(until H (a) is found): 

(S3.1) Machine My chooses at random a subset K c (1,2 n } not equal to /. Machine 
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My initiates V* on the same input and the same (!) random tape r and places K as the first 
message on the read-only communication tape of V' . Consequently, machine My reads 
from the communication tape of V* {(6 i ,j,- i oJi i i):i e K] and {(S',-,/,):/ e K}. 

(53.2) My checks whether the information he received is ok. (The same tests as he does for 
the answers to /). If it is not ok he returns back to step (S3.1). Otherwise My finds / such 
that i e / r\K or i s Tr\K. Such an i exists since / *K, without loss of generality we 
assume that i e / r\K. Machine My sets |3=<Y;+5';+l)mo<i2. 

(53.3) In parallel to (S3.1) and (S3.2), try to find H{a) by exhaustive search. (Make one try 
per each invocation of V* .) 

S4) Once p is found, machine My appends (J to its record tape, thus completing round j . 
If all rounds are completed then My outputs its record tape and halts. 



We now have to prove the validity of the construction. First, we will prove that the simula- 
tor My indeed terminates in expected polynomial-time. Next, we will prove that the output dis- 
tribution produced by My does equal the distribution over V* 's tapes (when interacting with P). 
Once these two claims are proven, the Theorem follows. 
Claim 1: Machine My terminates in expected polynomial time. 

Proof: We consider the expected running time on a single round with respect to a particular ran- 
dom tape r . We call a subset / c { 1,2,... ,n } good if V* answers properly on message / with ran- 
dom tape r . Denote by g r the number of good subsets with respect to random tape r . Clearly, 
0<g r <2" . We will compute the expected number of times V* is invoked in round j as a function 
of g r . We need to consider three cases: 

Case 1 {g r >2): In case the subset / chosen in step (SI) is good, we have to consider the proba- 
bility that another subset K is also good. In case the set / chosen in step (SI) is bad, the round is 
completed immediately. Thus, the expected number of invocations is 



8r_ 






-1 ■ 






+1 


+ 


2" 




2"-l 

I J 







Case 2 [g r = 1): With exponentially small probability (i.e. 2~") the subset / chosen in step (SI) is 
good. In this case we find (3 by exhaustive search (in stage (S3.3)). Otherwise, the round is com- 
pleted immediately. Thus, the expected complexity of My in case 2 is bounded by one invoca- 
tion of V* and an additional (p-l)-2~"< 1 step. 

Case 3 {g r =0): The subset / chosen in step (SI) is always bad, and thus My invokes V' exactly 
once and then halts. 

The claim follows by additivity of expectation and the fact that V* is polynomial-time. □ 

Claim 2: The probability distribution My(p ,g ,y ) is identical to the distribution <P ,V' >(p ,g ,y). 

Proof: Both distributions consists of a random r, and sequence of elements, each being either 
(/ ,p) (with good I) or a bad I, with random / . In <P ,V' >{p ,g ,y) we have |i=tf(a) we need to 
show that this is the case also in M v -(p ,g,y). i.e. we will prove that when / is good then My 
succeeds in finding H(a). But this is true because either he finds H(a) by exhaustive search or 
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find an i in which y,- , r i>0 , r,- tl , 5',- and /; are all correct, (i.e. r ; 0 ,r, j e 

+2c(p-\)], a iJ =y^ Jmod2 g r '^~' 2 and yg s ''=aa ifi '.). In this case 



Si* 



4 



+2, 



4 



we have: 

//(a) = //(jg , ''(a i5 ',r 1 ) 

= H(yg s ''(y^ m ° d2 g r -*~<r l ) 

= tf(y Yi+S ' ,+1 2 ) =y 1 +5' i +1 mod 2 □ 
The Theorem follows. □ 



Remark 1: It is not hard to see that instead of executing the protocol sequentially, we can execute 
all the rounds in parallel. 

Remark 2: Let s and t be two integers such that l£r,f^?-l. We define dist(s,t) to be the 
minimal distance between s and t over the circle of numbers [1^-1]. Consider the following 
promise problem hereby referred to as DIP 2: Promised that xe[s,t] or 

x e [(s+^-)mod (p-\),(t+^-)mod 0-1)] and dist(s ,f)<^— r does 
2 2 12/T 

x e [Cr+^r^-) mod (p-l),(t+ ^~^ ) mod (p-1)] ? An easy modification to protocol 2 yields a 
perfect zero-knowledge interactive proof system for DIP 2: 

Protocol 3 

common input: p ,g and y as before and also s . 

1) P and V both perform / := y 

2) f and V perform protocol 2 on input p ,g and / . 

Theorem 2': Protocol 3 constitutes a perfect zero-knowledge interactive proof system for DLP2. 
Proof: Since it is promised that Dlog g ye[s,t] or 

Dlog g y e [(s+^r— ) mod (p-l),0 +^r~) mod (p-1)] and that ditt($,t)< then after exe- 

cuting step 1 we have Dlog.Y e [1, ?~\ ] or Dloe.y' e [P^+l,!^-* P~\ ] and now our 

' 12n 2 * 2 2 12« 2 

theorem follows from theorem 2. 
4. EXTENSIONS 

4.1. Generalization of the Protocol to other Cyclic Groups 

Let G be an arbitrary cyclic group such that the following conditions holds: 

1) The group operation of G can be implemented in polynomial-time. 

2) The order of G (to be denoted N) is either given or can be computed in polynomial-time. 



67 



We can extend the definitions of the DLP and the DLP 1 in the obvious way. The needed modifi- 
cations are to replace any multiplication mod p by the group-operation of G and to replace p-l 
by the group order (TV). 

With the same modifications our protocol will be a perfect zero-knowledge proof for the 
promise problem DLP 1 in G (since the protocol does not makeany use of the special structure of 
Z*, but merely its being cyclic). What we still have to show is that the DLP 1 is polynomially 
equivalent to the DLP itself in any cyclic group. The Blum-Micali proof (used in Z*) extends 
easily only to groups in which N is even and both testing quadratic-residuosity and taking 
square-root can be performed in polynomial time. Unfortunately, this does not seem to be the 
case in all groups and a different argument is needed. We present a proof for the equivalence of 
DLP and DLP 1 based on ideas of Kaliski [Ka]. 

We define the oracle LOG c as follows: 

LOGq (g,yj 4)=0 if Dlog g y e [s ,(s+d) mod N] 



LOG G ig ,y j jy=\ \f Dlog.y e [(s+ 



)mod N,{s+ 



+d)mod N] 



In any other case the answer of the oracle LOG G is unexpected. 



N 

It should be noticed that when d < =- this oracle solves the promise problem DLP 2 for which 

I2n 2 

protocol 3 is a perfect zero-knowledge proof. 

Theorem 3: The following 2 problems are polynomially equivalent for any cyclic group G of N 
elements and a generator g : 

1 ) . Given g,y e G such that g is a generator of G find x such that x =Dlog g y . {DLP ) 

N 



2) Given yeG, a generator geG , 0<s<N and d such that 0<d< " 2 compute 

LOG G (g,yj,d).(.DLP2) 

Proof: It is obvious that if we know to solve the first problem we can solve the second one. We 
will prove the other direction by presenting an algorithm that solves the DLP using the oracle 
LOG G (g,yj4)- The algorithm is based on the following elementary lemma: 

Lemma 1: For any cyclic group G of order N and for every y e G : 



If Dlog g y 2 e [s,t] then Dlog g y is in [ 



] or in 



s+N 



t+N 



Proof (of the Lemma): Let x e [j,r]c {0,1, • • • JV-l} and try to find a number w such that 
x=2 w . We deal with two cases: 

Case 1 : N is odd. Since N is odd there exists a unique number 2 -1 mod N. In this case one can 



easily verify that if x is even then w=— e[ 



x r 



t+N 



] and if x is odd then 



Case 2 : N is even. Since N is even 2 mod N not exists. In this case only for even x 's we have 

x x+N 

such w. Actually we have two such numbers: wpy and w^= ■ ■ It is easy to verify that 
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2 



] and W2= 



x+N 



[ 



s+N 



t+N 



Now taking x=Dlog g y 2 the lemma follows for every N. □ 

Note that if the interval in which Dlog g y 2 is found is of size d then the intervals in which Dlog t y 
can be found are of size \dll\ . This is used in the following algorithm. 



Algorithm 1: (The input is y e G and a generator g) 

(1) Letn=log 2 /V 

(2) Compute y i=y . ? . y3=?2 - y.^.-i ■ I* y; 3 ? 2 "' */ 

(3) Let j=0. 

(4) Letd=-^ T 

12n z 

(5) ForA=ntoldo 

If (LOG G (£,y k j4 )=0) then / =s 

else/=(j+ " 



else j=s+ r- ; goto (4) 



l 2 

5=^/21 

d=rd/2i 

end 

(6) If (g'=y) outputs 

else if C?' ,+1 =y) output s+1 
N 

The idea is that we are trying to find an s such mat Dlog g y n =Dlog l y 2 " is in the range of size 
N 

r- starting from s . Assume that we are in the right interval then according to the lemma in 

12n 2 

each round in step (5) we reduce by a factor of 2 the size of interval in which we arc looking for 
Dlog g y k . Therefore at the end after n=log 2 N rounds we are looking for Dlog g y y=Dlog g y in an 
interval of size 2. Now, we check which of the two numbers in the interval is Dlog g y. If both are 

N 

not fitted then the current s is wrong and we increase it by r and try again. After at most 

12/r 

N ■> 

— =12/r iterations we should find the right s. Therefore the number of times we will have to 
a 

execute steps (4-6) is 0(n 2 ). Now, assuming that LOGq is polynomial-time and recall the 
assumptions about G (i.e. N is known or can be computed in polynomial-time and the group 
operation can also be implemented in polynomial time) then this algorithm is also polynomial- 
time. □ 



4 J. Generalization of the Results to Acyclic Groups 

In an acyclic group which is finite and Abelian we do not have a generator but a 
generating-tuple g = (g\,gz, ■ ■• ,g k ~). Any element yeG can be uniqely expressed as 
y=gf —gSt- The order of each g-, is denoted and the number of elements in the group is 
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M=N i-NfNk . The DLP and the DLP 1 are defined with respect to g h (For example the DLP in 
such a group is: Given y - find x j such that 3x 2 • ■■ x k \y=g\' -gjt)- 

Our protocol with some modifications will work here too. We have to assume that we know (or 
can compute in polynomial-time) not only the group size N but also N\. We should replace 
every occurence of N in the previous protocol by N\ and also everything done with respect to g 
has to be done with respect to g\. In addition we should randomize everything by elements 
chosen at random from the subgroup generated by (gi,gs, • ■ ■ ,£*)• For example in step (VI) of 
the protocol the verifier should compute cp=y b 'g r i g"' "8k< where 



[6 rI 



^1 








+1, 


4 


4 



H-ciVj] and r 2 • • • r k € /}[!//]. 



Using the same modifications described above we can also modify theorem 3 to show that 
the DLP and the DLP 1 are still equivalent in an acyclic group. 



APPENDIX: Determining Membership in a Subgroup • Special Case 

In this Appendix we consider the problem of determining membership in a subgroup gen- 
erated by an element g in Z*, when p-\=2q and q is prime. We will show that in this special 
case, testing membership in a subgroup is easy. This should be contrasted with the believed 
intractability of DLP also for this case. 

One can readily verify that if p-\=2q with q prime then Z* has q-l primitive elements 
(i.e. elements of order p-1), <7~1 elements of order q , one element of order 2, and one element of 
order 1 (i.e. the identity). Furthermore, all the elements of order q and the identity element form 
a subgroup which is generated by any of the elements of order q . Thus, the question of whether 
a is in the subgroup generated by g reduces (in this case!) to testing the order of both a and b (a 
is in the subgroup generated by b iff the order of a divides the order of b). Finally note that test- 
ing the order of an element is easy (in this case!). 
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Zero-Knowledge With Finite State Verifiers 
(Extended Abstract) 



Cynthia Dwork Larry Stockmeyer 

IBM Almaden Research Center 
San Jose, CA 95120 

Abstract. We initiate an investigation of interactive proof systems (IPS's) and zero 
knowledge interactive proof systems where the verifier is a 2-way probabilistic finite state 
automaton (2pfa). Among other results, we show: 

1. There is a class of 2pfa verifiers and a language L such that L has a zero knowledge 
IPS with respect to this class of verifiers, and L cannot be recognized by any verifier 
in the class on its own; 

2. There is a language L such that L has an IPS with 2pfa verifiers but L has no zero 
knowledge IPS with 2pfa verifiers. 

1. Introduction 

Issues in complexity theory and cryptography motivated Babai [1] and Goldwasser, 
Micali, and Rackoff [7] to introduce the concept of an interactive proof system. Speaking 
informally, an Interactive Proof System (IPS) for membership in a language L is a two- 
party protocol whereby a "prover" convinces a "verifier" that elements x £ L are actually 
in L. The concept is interesting only if the verifier is not itself sufficiently powerful to 
recognize L. 

To date, almost all research in interactive proof systems has dealt with the case that the 
verifier is a probabilistic Turing machine (ptm) which runs in polynomial time. Due to the 
present lack of understanding of the power of polynomial time computation, many previous 
results depend on unproven assumptions, typically that a certain problem is not in P or 
that a certain cryptosystem cannot be broken in polynomial time. If the given assumptions 
are false, then either the proof becomes invalid or the result becomes trivial. For example, 
the important and powerful result that any language in NP has a zero knowledge IPS [6] 
would become unproven if secure probabilistic encryption schemes do not exist, and would 
become vacuous if P = NP. 

The ability to prove lower bounds is crucial to understanding the structure of the class 
of languages with interactive proof systems. We therefore restrict the class of verifiers, 
namely, to 2-way probabilistic finite state automata (2pfa). We have obtained a number 
of results on 2pfa's and IP(2pfa), the class of languages with interactive proof systems 
in which the verifier is a 2pfa, examining public coins, private coins, and zero knowledge 
proof systems. ([4] contains a preliminary report of these results, including all proofs.) 
For the remainder of this abstract we restrict our attention to zero knowledge interactive 
proofs, noting only that the class IP(2pfa) is quite rich, despite the restricted power of the 
verifier, containing, for example, any language recognizable by a deterministic exponential 
time Turing machine. 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 71-75, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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2. Definitions 

Our definition of an interactive proof parallels the one used in previous papers on in- 
teractive proofs where the verifier is a polynomial-time bounded ptm, for example, [7,6], 
and the one given by [3] in a more general setting. The main difference in our case is 
that the verifier is a 2-way probabilistic finite state automaton (2pfa). A 2pfa consists of 
a probabilistic finite state control and a 2-way head which reads the input string. Tran- 
sition probabilities are assumed to be rational. In addition, the verifier can communicate 
with a prover which sees the same input. In our case, the communication is done via a 
single communication cell which can hold a single symbol from some finite communication 
alphabet. The prover writes a symbol in the cell only in response to a symbol written 
by the verifier. At some point in the interactive computation, the verifier can halt and 
either accept or reject. The prover-verifier pair (P, V) is an interactive proof system for 
the language L with error probability e if 

1. for all x £ L, (P, V)(x) accepts with probability at least 1 — £, and 

2. for all x £ L and all provers P*, (P*, V)(x) rejects with probability at least 1 — £. 

Let IP(2pfa) be the class of languages L such that L has an interactive proof system with 
error probability e < 1/2. 

Let 2PFA denote the class of languages recognized by 2pfa's with error probability 
e < 1/2. Equivalently, 2PFA is IP(2pfa) restricted to IPS's (P, V) where P and V do not 
communicate (so the prover can be empty). 

In some results we will want to talk about the expected or worst-case time complexity 
of an IPS (P, V), defined to be the expected (averaged over all random choices made by 
V and P) or worst-case number of steps taken by the verifier before halting and measured 
as a function T(n) of the length n of the input. 

A sweeping Spfa is a 2pfa restricted so that the input head can switch direction only 
when reading an endmarker. In any computation, the input head alternately sweeps across 
the input from left to right, then from right to left, and so on. 

We shall also use a more general form of recognition called separation. Let M be an 
IPS or a 2pfa, and let A and B be sets of words with A PI B — 0. Then M separates A and 
B if there is some constant e < 1/2 (the error probability) such that, for all x £ A, M(x) 
accepts with probability at least 1 — e, and for all x € B, M(x) rejects with probability at 
least 1 — e (we do not care about the behavior of M on inputs not in A or B). 

We temporarily defer the definition of "zero knowledge" interactive proof system. 

2.1. An Example 

If x is a string, let x R be x written backwards. Define 

Palindromes - { x € {0, 1}* | x = x R }. 

We describe an IPS (P, V) for Palindromes with error probability e for any constant e > 0. 
If i is a palindrome, the interaction involves k iterations, where k = [logj(l/£)] . On each 
iteration, the prover P sends x to the verifier one symbol at a time. At the start of each 
iteration, the verifer V (privately) tosses a fair coin. Letting w denote the string received 
from the prover during this iteration, if the outcome of the coin toss is "heads" then.V 
checks that w — x and rejects if not. If the outcome is "tails" then V checks that w = x R 
and rejects if not. If the check succeeds for all ifc iterations, then V accepts. It is easy to 
see that (P, V) is an IPS for Palindromes with error probability e. This shows: 
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Theorem 2.1. Palindromes 6 IP(2pfa). Moreover, for any error probability e > 0, there 
is an IPS for Palindromes where the verifier is a sweeping 2pfa which runs in worst-case 
time 0(n). 

This theorem contrasts with the following impossibility result. 

Theorem 2.2. Palindromes 2PFA. 

In fact, we prove a somewhat stronger result, from which the theorem follows. Theo- 
rem 2.2 is particularly interesting in light of Freivalds' result [5] that 2PFA contains certain 
nonregular sets, such as { 0"l n | n > 1 }. 

3. Zero Knowledge Interactive Proof Systems 
3.1. Old and New Definitions 

Informally, an interactive proof system (P, V) for a language L is zero knowledge if for 
any input x € L and any verifier V*, the only information which V* can get from P during 
their interaction is the single bit of information that x belongs to L. Previous papers, e.g. 
[7], considered zero-knowledge only for ptime-ptm verifiers; we generalize the definition to 
an arbitrary class of verifiers as follows. Fix some class V of verifier machines, for example, 
2pfa's or polynomial-time ptm's. Let (0, V) be the subclass of machines in V that do not 
communicate with the prover (the symbol 0 in this notation should be a reminder that 
the prover is empty). The interactive computation of (P, V*)(x) defines a distribution 
of conversations between P and V*. The IPS (P, V) is zero knowledge if for any verifier 
V* € V there is an M v * 6 (0, V) such that, for all x € I, M v *(x) produces a distribution 
of conversations which is "close" to the distribution produced by (P, V*)(x). 

At first glance, it would appear that the IPS (P, V) for palindromes described above is 
perfect zero knowledge according to this definition. On input x, the conversation consists 
of the prover sending x to the verifier several times, and obviously a 2pfa can produce this 
conversation alone. On an intuitive level, however, this IPS is clearly not zero knowledge for 
the following reason. Let A be the set of "double palindromes", i.e., the set of palindromes 
of the form ww R where w is itself a palindrome, and let B be the set of palindromes not 
in A. It is not hard to see that there is a 2pfa V* such that (P, V*) separates A and B. 
On input x, V* first checks that |x| is even and rejects if not. Then starting from the left 
endmarker, V* moves its head two to the right for every symbol sent to it by the prover 
until the right endmarker is reached. At this point, P has finished sending w and is ready 
to send w R to V*, where x = ww R . So V* is now in a position to compare w with w R . 
Since we can show that no 2pfa separates A and B, it is clear that P is giving V* some 
extra information which it cannot get by itself. 

This suggests the following definition of zero knowledge which we call "recognition zero 
knowledge" to distiguish it from previous definitions. 

Let V be a class of verifier machines. Let (P, V) be an IPS for the language L where 
V € V. Then (P, V) is a recognition zero knowledge IPS for L with V verifiers if, for any 
V* € V and any A, B C L with A D B — 0 such that (P, V*) separates A and B, there is 
an M v * € (0, V) such that M v * separates A and B. 

This is a fairly weak definition, in the sense that if a language has no recognition zero 
knowledge IPS then it has no zero knowledge IPS in a strong intuitive sense. 
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3.2. Languages Having No Zero Knowledge IPS 

We first consider the palindrome language Palindromes defined in §2.1. We are able to 
show that the ability of a V* to get extra information from the prover is not a property just 
of the particular IPS (P, V) described in §2.1. It is an inherent property of Palindromes. 

Theorem 3.1. There is no recognition zero knowledge IPS for Palindromes with 2pfa 
verifiers. This remains true with 2pfa verifiers which run in either polynomial worst-case 
time or polynomial expected time. 

By a similar proof, we can show that the graph isomorphism problem has no recogni- 
tion zero knowledge IPS with 2pfa verifiers. This result contrasts with the situation for 
polynomial-time ptm verifiers, where graph isomorphism does have a (recognition) zero 
knowledge IPS [6]. We .remark that the graph isomorphism problem does have an IPS 
with a 2pfa verifier. 

3.3. A Language With a Recognition Zero Knowledge IPS 

That the graph isomorphism problem has no (recognition) zero knowledge IPS with 
2pfa verifiers suggests that techniques which have been used to obtain zero knowledge IPS's 
with ptime-ptm verifiers will not extend to 2pfa verifiers. In fact, we have no example of a 
language L ^ 2PFA which has a recognition zero knowledge IPS with 2pfa verifiers. With 
2pfa verifiers restricted to a certain class 1Z, however, we do have such an example. Let H. 
denote the class of sweeping 2pfa's that halt in polynomial expected time. 

Theorem 3.1, showing that there is no recognition zero knowledge IPS for palindromes, 
also holds with TL verifiers. It is interesting to contrast this latter result with the result 
obtained next, that the unary version of palindromes has a recognition zero knowledge IPS 
with TL verifiers. The unary version of palindromes is the language 

Upal = { OT | n > 1 }. 

Greenberg and Weiss [8] show that Upal cannot be recognized by any 2pfa which runs in 
polynomial expected time; in particular, Upal is recognized by no machine in 1Z t so the 
next result is not vacuous. 

Theorem 3.2. There is a recognition zero knowledge IPS for Upal with TZ verifiers. 

Actually, we prove a stronger result from which Theorem 3.2 follows immediately. We 
describe an IPS (P, V) for Upal with the following property. For any V* and any e < 1/2, 
let A (B) be the set of integers n such that (P, V*)(0"l n ) accepts (rejects) with probability 
at least 1 — £. Then there is a set C of integers such that C separates A and B (i.e., 
A C C and B Pi C = 0) and { 1" | n € C } is regular. Our proof of this fact differs from 
previous proofs of zero knowledge in a significant way. Whereas previous proofs involved a 
simulation which used V* as a "black box", our proof uses the internal structure of V* in 
an essential way. This proof draws upon several facts from the theory of Markov chains. 

4. Related Work 

Other results on interactive proof systems with restricted verifiers appear in [2] and [3]. 
In these papers Condon and Ladner considered the case in which the verifier is restricted to 
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run in space logarithmic in the length of the input, but they did not address the question 
of zero knowledge. 

More recently, Kilian [9], adopting a defintion of zero knowledge based on the one pre- 
sented here, has shown that, for verifiers which use logarithmic space and polynomial time, 
every language which has an IPS also has a zero knowledge IPS; no unproved assumptions 
are needed to obtain this result. 

Note 

The authors thank the program committee of CRYPTO '88 for inviting this paper to 
the conference. 
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Abstract. This paper surveys computational problems related to integer factorization 
and the calculation of discrete logarithms in various groups. Its aim is to provide theory 
sufficient for the derivation of heuristic running time estimates, and at the same time 
introduce algorithms of practical value. 



0. Introduction 

Several problems in number theory are believed to be computationally intractable, a 
property that is potentially of great use in cryptography. Included in this category are 
problems related to integer factorization and the evaluation of discrete logarithms in vari- 
ous groups. The purpose of this paper is to summarize current knowledge about them, 
from a theoretical viewpoint. 

In line with the long-term goals of complexity theory we should like to settle the 
question of whether these problems are really difficult, in the sense of having no proba- 
bilistic polynomial time algorithms. However, two features of this program seem inap- 
propriate to the present context. First, a concentration on the asymptotic behavior of 
algorithms may be too restrictive, as a designer of public -key cryptosystems has to make 
compromises between efficiency and security and so must consider problems of a fixed 
size. Second, a restriction to algorithms that can be rigorously analyzed is too stringent if 
one wishes to design a system that will resist all known attacks. Since currently we can- 
not even prove asymptotic lower bounds on the complexity of these problems, design 
decisions must be based on what we believe to be the best algorithms. Such has been the 
state of affairs ever since the invention of public -key cryptology; it seems unlikely to 
change soon. 
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Of course, there have been improvements in our ability to solve these problems, 
most strikingly for factorization. A paper written in the early 1980's [Pomerance 1982] 
noted that the available algorithms could factor numbers up to 50 digits; the record now 
stands at 100 digits [Lenstra and Manasse 1988]. Thus the size of numbers whose factori- 
zation is feasible has doubled in ten years, and more advances are sure to follow. Cer- 
tainly, some of this progress has come from the use of more powerful computers; what 
may not be so evident is the impact of new techniques, most notably the elliptic curve 
[Lenstra 1987] and quadratic sieve [Pomerance 1984] algorithms. Both of these algo- 
rithms are easy to parallelize on currently available machines. 

Given an algorithm, one should always try to find the most general structure to 
which it applies. Thus, to highlight similarities and hide details, I have used algebraic 
language wherever possible. Sometimes the level of abstraction is greater than that 
needed merely to describe an algorithm. I would argue, however, that from this vantage 
point one can see clearly how the algorithms arise from the basic ideas. Necessarily, 
some details are lost; for more complete descriptions I refer to the surveys in the refer- 
ence list (marked with a "*") as well as to the original papers. 

In considering running times the reader should equate "step" with "bit operation." 

1. Problems related to factoring 

The problem of factorization makes sense in any unique factorization domain, of 
which the most basic example is the ordinary integers ZZ . Thus we wish to compute the 
prime divisors of a number n presented as input. 

If n is prime, then the problem is easy, as there are efficient randomized algorithms 
to test primality. With no more work than that of evaluating a power modulo n — an 
0 (logn ) 3 process — one can tell if a number is prime, with an error probability of at 
most 1/4 [Rabin 1980]. If certainty is needed, then a more complicated deterministic 
algorithm [Adleman et. al. 1983] will prove that n is prime in at most 
(logn lo8lo8logn ) c +o(1) steps. This algorithm also has a randomized version that is likely 
to find such a proof within the same time bound; for this it is conjectured that 
c = l/log2 = 1.442.... Finally, a new test due to Atkin and based on complex multiplica- 
tion has been recently implemented [Morain 1988]; this has proved useful for testing 
numbers up to 571 digits but it has not yet been analyzed. 

In a statistical sense, we understand quite well how numbers factor. One can ima- 
gine that a random number n has prime factors whose lengths are selected by a "random 
bisection" process: choose a prime p whose length is uniformly distributed in the inter- 
val (0, Iogn), replace n by nip and repeat, and so on. From this one gets intuition about 
how typical numbers factor as well as an efficient method for generating random 
numbers together with their factorizations [Bach 1988]. 

However, we do not know a polynomial time algorithm for factoring, even if we use 
randomness or make a reasonable assumption such as the extended Riemann hypothesis. 
We do not even know how to efficiently produce any useful information about the factors 
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of a number. For instance, one might ask (from a formal analogy with polynomials) if 
extracting the squarefree part of a number, or just deciding if it is squarefree, takes less 
time than computing the full factorization; no such result is known. Neither can we 
count the prime factors of a number in any way better than finding them all. 

One often finds factorization problems represented as equation-solving problems. 
For instance, an algorithm to solve the congruence 

x 2 = a(modn) (1.1) 

can be used to efficiently factor n [Rabin 1979]. One could make a formal analogy with 
(1.1) and speculate that for e relatively prime to the Euler function <)>(« ), the congruence 

;c e =a(modn) (1.2) 

cannot be efficiently solved without finding information from which one could easily fac- 
tor n. The security of the RSA cryptosystem [Rivest et al. 1978] relies on this conjec- 
ture as well as on the belief that factoring is difficult. 

There is also an existence problem related to square roots modulo n : decide whether 

3x[x 2 sa(modn)]. (1.3) 

This was used in the design of a probabilistic encryption method [Goldwasser and Micali 
1982]. A necessary but not sufficient condition for (1.3) to hold is that the Jacobi symbol 
(a In) equals 1; this is computable in O(logn) 2 time [Collins and Loos 1982]. Problem 
(1.3) clearly has some relation to factoring, for if a is a quadratic residue modulo n , then 
for each p dividing n , a is a square modulo p . By quadratic reciprocity, the factors of n 
are restricted to certain arithmetic progressions. However, recovering the factors from 
this information seems not to be easy. There is also a relationship between deciding (1.3) 
and computing co(/i ), the number of distinct prime factors of n , since for odd n , the frac- 
tion of quadratic residues in (ZZ/nZZ)* is 2 _to(n) ; however, this does not immediately 
imply a polynomial-time equivalence between these problems. 

More generally, one might wish to decide if, for a number e not prime to (j)(« ), 

3x[x e =fl(modn)]. (1.4) 

This problem has been applied to the design of election protocols [Cohen and Fischer 
1985]. It has been argued on heuristic grounds that an efficient algorithm to solve (1.4) 
for general e and n would lead to an algorithm for factoring that, although not polyno- 
mial time, would outperform any currently known on certain numbers [Adleman and 
McDonnell 1983]. 

Problems (1.1)-(1.4) are all solvable in random polynomial time for prime moduli 
and hence (by the Chinese remainder theorem and Hensel's lemma) for moduli whose 
factorization is known. The first two might be called "zero-dimensional" problems, for 
the analogous equations over the complex numbers have only finitely many solutions. 
Despite our intuition that increasing the dimension increases the complexity, similar 
one-dimensional problems are efficiently solvable. In particular, there is an efficient 
algorithm [Pollard and Schnorr 1987] to solve 
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x 2 -dy 2 = a (mod n) (1.5) 

as well as efficient algorithms for related problems in algebraic number rings [Adleman 
et. al. 1987], 

All of the problems (1.1) - (1.4) make sense if ZZ is replaced by a ring and n is 
replaced by an ideal of finite index. Such generalizations appear not to have been studied 
much, although cryptographic schemes similar to the RSA have been proposed using 
algebraic numbers [Williams 1986]. 

2. Problems related to discrete logarithms 

Just as the factorization problem is concerned with rings, the discrete logarithm 
problem is concerned with groups. Thus let G denote a finite cyclic group, in which the 
equality predicate, group multiplication, and inverses can be efficiendy computed. If g 
is a generator of G and a another element of G , we wish to solve 

g x =a; (2.1) 

this is the discrete logarithm problem. (The restriction to cyclic groups is no constraint 
because the group generated by an element is always cyclic.) If G has order m , then 

G = TLImTZ. (2.2) 

One can efficiendy compute the reverse direction x) of this isomorphism by 
repeated squaring, with O (log*) group multiplications. The discrete logarithm problem 
is that of computing the forward direction. Of course TLlmTL has a natural ring struc- 
ture, and one might ask if the multiplication operation can be transplanted to G ; that is, if 
one can efficiently 

compute g xy given g x ,g y . (2.3) 

This is the Diffie —Hellman problem; clearly an algorithm to compute the forward direc- 
tion of (2.2) (that is, solve (2.1)) can be used to solve it. For most groups of interest, it is 
unknown if the converse holds, although this has been shown in certain cases for 
(ZZ//?ZZ)* [den Boer 1988]. 

Various groups have been suggested in cryptographic applications of problems (2.1) 
and (2.3). The original key-exchange proposal [Diffie and Hellman 1978] suggested 
(ZZ Ip 7L )* where p is prime; one might also use IF^*, the multiplicative group of a finite 
field. There are also possible applications where the ambient group is non-cyclic, 
employing the unit group (ZZ/rcZZ)* [Shmuely 1985, McCurley 1987], class groups of 
imaginary quadratic fields [Buchmann and Williams 1988], and various algebraic groups 
such as elliptic curves [Miller 1985, Koblitz 1987], abelian varieties [Koblitz 1988], and 
matrix groups [Varadharajan 1986]. 

With such an abundance of examples, one might well ask how far the generalization 
can be pushed. It seems that nothing about (2.1) or (2.3) requires that the group be finite, 
or even that inverses be computable; perhaps one could use semigroups instead of 
groups. 
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3. Algorithms 

Remarkably, many of the best algorithms for the problems discussed above have 
apparent running times that are moderate powers of the following function: 

L(n) = e^° sn}oslosn (3.1) 

(here n is the number to be factored or the size of the group and log n is its natural loga- 
rithm). Before presenting algorithms, it will be worthwhile to discuss this function and 
how it arises. 

L (n ) is often called a subexponential function because it grows more slowly than n e 
for any e>0; the appellation "subexponential" is apt because n £ is an exponential func- 
tion of the length log n . However, most of our intuition deals with polynomial time algo- 
rithms, so it is convenient to pretend that L(n) is a polynomial in log n with a slowly 
growing exponent, and define E(n) by L(n) = Qogn) £(n) . The following values hold: 

n 10 50 10 100 10 200 10 500 10 1000 

logrt 115 230 460 1151 2303 

E(n) 4.9 6.5 8.7 12.8 17.2 

From the above chart, if an algorithm requires L (n ) c steps, a small reduction in c will 
have a large effect on its running time. 

L (n) arises from considerations of smoothness (a number is smooth with respect to 
a bound M if all its prime factors are less than or equal to M). Briefly, there is a tradeoff 
between making smooth numbers plentiful (M should be large) and making smooth 
numbers easy to recognize (M should be small). 

To quantify this, we can use the random bisection heuristic cited above to get a 
plausible estimate for the "probability" P (a) that a random number near q is composed 
of prime factors less than q a . Conditioning on the first factor's relative length x (which 
is presumed to be uniformly distributed), 

a 

P(a) = jp(~)dx; 
o l ~ x 

after the change of variable X = 1 / a this becomes 

This equation, together with the initial condition p( X) = 1 for 0<X< 1, defines the Dick- 
man rho-function. As a rule of thumb, p( X) = XT* - ; consequently, 

Pr[x <q is ^"-smooth] = a 1/tx . (3.2) 
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This can be used in a simple argument that underlies many running time calcula- 
tions. Consider a two-phase procedure that first assembles a set of M -smooth numbers 
(with some desired properties) and then processes this set further to complete the algo- 
rithm. The first phase simply chooses random candidates (of size roughly q ) and adds 
them to the set if they are smooth. To find the work for this phase, multiply the requisite 
number of smooth numbers by the work necessary to check a number for smoothness, 
and divide by the probability that a random number near q is smooth. If first two factors 
combined produce a term around M k and the second phase of the algorithm takes M l 
steps, then by the approximation (3.2), the total time is roughly 

T = Ti + Ti = M k X x + M l (3.3) 

where X = Qog q ) / (log M ) . If T 1 » T 2 , we can minimize log T x by setting its derivative 
to zero and find that asymptotically 

X = ^(2k log?) /log log? , 

so 

T = r 1 + T 2 = L{qf* +L(qf Tm (3.4) 

(the first term dominates if 2k >/). Evidently we would like q, k, and / to be small; in 
fact, much of the progress in factorization and discrete logarithms has come from reduc- 
ing these parameters. 

Naturally, one would like to justify calculations such as the above, but this can be 
rigorously done only for certain algorithms. The problem is not with the approximation 
(3.2) — which can be sharpened — but with the tacit assumption that the numbers con- 
structed by the algorithm are smooth with the same probability as random numbers of 
comparable size. Because in many important cases we are unable to prove this, there has 
arisen a notion of "heuristic" running time bounds for such algorithms. Thus we distin- 
guish between proofs that an algorithm uses or expects to use only a certain number of 
steps (so-called "rigorous" bounds) and plausibility arguments for such assertions that 
always rely on unproved ad hoc assumptions. Of course, we can always try out a factor- 
ing or discrete logarithm algorithm and see if it works, since any answer produced can be 
quickly checked. For this reason, heuristic arguments are very useful, even if they are 
mathematically suspect. 

In the descriptions below all running times will be heuristic, unless otherwise noted 
(the asymptotic notations 'O ' and 'o ' are reserved for proved results). Furthermore, the 
calculations are what might be called "first-order": they are only accurate enough to 
derive the correct value of c in an estimate of the form L(n) c . In particular, they ignore 
relatively small factors such as powers of log n . 

Algorithms for factoring 

Most factorization algorithms rely on what might be called a "functorial" 
approach. The idea is to associate with each ring TZInTZ an object X n in a generic 
fashion, so that the factorization given by the Chinese remainder theorem transfers to a 
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factorization of X n , thus: 

ZZ/nZZ = TZ/pTZ x ZZ/q2Z (3.5) 
i 

(in this section assume that n has two distinct prime factors p and q). We then use the 
factorization of X n to recover the factors of n , usually by constructing special elements 
of X n . The easiest way to guarantee that (3.5) occurs is to define X n with polynomial 
equations modulo n , though this may not be the only way to proceed. 

The best algorithms for factoring numbers composed of two equally large primes 
are the quadratic residue family of algorithms. These algorithms work with the group 
X n = {x : x 2 = 1 mod n }, for any element of X n that is not congruent to ±1 mod n (at 
least half of the elements of X n have this property) will allow us to factor n as 
gcd(x-l,n). Equivalently, we can homogenize and seek numbers x and y for which 
x 2 =y 2 but x # ±y . The algorithms in this family all do this by performing three basic 
steps: 

1) Generate many quadratic residues mod n . 

2) Try to factor them using primes p <M , to construct congruences of the form 

n P < M P e »^r\ 

3) Using linear algebra on the exponents modulo 2, combine the congruences 
multiplicatively to find x and y with x 2 = y 2 . 

The continued -fraction factoring algorithm [Morrison and Brillhart 1970] gen- 
erates residues around Vn~ in size by evaluating the continued fraction of Vn , factors 
them by trial division, and uses Gaussian elimination for the linear algebra. Since 
roughly M linear equations are needed, we can take q =n m , k =2, and / = 3 in (3.4) to 
find that the running time is approximately L (n )^. 

The quadratic sieve algorithm [Pomerance 1984] dispenses with the need for trial 
division, by using values of a polynomial to form residues around Vn" in size. Instead of 
factoring each residue separately, the algorithm processes polynomial arguments one 
prime at a time, only examining those for which the corresponding value will be divisible 
by that prime. Neglecting log factors, the amortized cost of factorization per residue may 
be taken as constant. Using the notation of (3.3), the number of polynomial arguments 
processed must be the number of smooth residues needed (M) times the inverse smooth- 
ness probability (k x ). If Gaussian elimination is used for the linear algebra, then the run- 
ning time is the result of taking k = 1 and / = 3 in (3.3). A good choice for M is obtained 
by balancing T x (the cost of sieving) and T 2 (the cost of equation solving), which leads to 
a running time of approximately L (n)^. 

Since a number m has no more than log 2 »i prime factors, the running time of this 
and similar algorithms can be improved by exploiting the sparsity of the linear equations. 
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A randomized algorithm based on shift-register synthesis [Wiedemann 1984] will solve 
an MxM linear system of equations over a finite field with O(Mw) field operations, if 
there are w nonzero coefficients. Therefore, for theoretical purposes we may take / = 2 in 
analyzing the Gaussian elimination phase of the quadratic sieve algorithm; this leads to 
the improved estimate L(n) for the running time. 

If one wishes to factor a number with a known or suspected small prime factor p , 
the algorithm of choice is the elliptic curve method [Lenstra 1987]. This takes X n to be 
the set of solutions to y 2 =x 3 + ax +£(mod n). By the Chinese remainder theorem, 
X n = X p x X q , but X p has some additional structure. Augmented by an additional 
"point at infinity" (0:1:0), it forms an abelian group X p with (0:1:0) as the identity (this 
group is written additively). The group operations are given by rational functions, which 
can be evaluated mod n . By the Riemann hypothesis for finite fields, 
p + 1-lJp < \X p I <p + 1 +2^p , and the group order can be randomized within this 
interval by varying a and b . If we are lucky and find an M -smooth group (that is, one of 
M- smooth order), then any element must become the identity when multiplied by 
E = Yip <m P L lo Sp . Of course, no rational operations can produce the point at 
infinity, so a factor is detected when one attempts this multiplication and divides by a 
non-unit in ZZ/nZZ . For success, we expect to need only one M -smooth group, but by 
the prime number theorem, multiplication by E requires roughly M operations. The run- 
ning time is therefore estimated by taking q =p, £ = 1 and / = 0 in (3.4); one expects to 
extract p in approximately L (p) v2 steps. 

A related algorithm — it does not fit the paradigm (3.5)! — is based on class groups 
[Schnorr and Lenstra 1984]. Here one chooses a random small multiplier u., and forms a 
group from the invertible ideals modulo similarity of a subring A of Q(V-u,n ). In the 
simplest case, -\xn is the field discriminant, whose divisors are exactly the ramified 
primes. Solutions to x 2 = 1 in the class group lead in a straightforward way to these 
primes. (Factors can also extracted from square roots of 1 in the general case, but the 
theory is more complicated). If the group order h depends "randomly" on u., as sug- 
gested by heuristic considerations [Cohen and Lenstra 1984], we may try many values of 
u- and hope that one of the resulting groups is M -smooth. If so we can annihilate the odd 
part of the group by brute force, then square repeatedly to find solutions to x 2 = 1. Since 
, we can evaluate the running time by taking q =Vn\ k = 1 and / = 0 in (3.4) and 
find it to be roughly L {n ). 

The above discussion cites three factorization methods with a conjectured running 
time near L (n ), and one might suspect that this is the true complexity of factoring. How- 
ever, the algorithms are all based on similar ideas, so it is equally plausible that the L (n) 
running times are simply a consequence of this similarity. Of these algorithms, the qua- 
dratic sieve is the best algorithm in practice (unless we think the number to be factored 
might have a small prime divisor). It is superior because a typical step in its execution is 
a single-precision subtraction; a step of the elliptic curve algorithm must evaluate a pair 
of rational functions (at a cost of O (log n ) 2 ), and a step of the class group algorithm 
must perform a gcd calculation followed by a 2-dimensional lattice reduction (again, an 
O (log n ) 2 operation). 
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The cyclotomic family of factoring algorithms takes X n ={A/nA)*, where A is a 
ring of algebraic integers. In these cases, X p is a direct sum of finite fields, each of order 
p k -l for some k, and we can easily factor n when any algebraic factor of p k —1 is 
smooth [Bach and Shallit 1985]. The practically important cases are k = 1,2; that is, the 
method is useful when p ± 1 is smooth. For example, if A - 7Z , then the unit group 
modulo p has order p—l, and by raising to a large enough power E we can annihilate 
this group, factoring n with gcd(x E -l,n) [Guy 1976]. The p+l method [Williams 
1982] works in a similar fashion with the group of elements in the finite field TF p 2 that 
have norm 1. Both methods have a refinement in which the running time is proportional 
to the square root of the smoothness bound [Montgomery 1987]; they are useful as prel- 
iminary steps in factorization, before a complicated method like the quadratic sieve is 
used. 

Some attention has also been paid to the effects of "second-order" smoothness, that 
is, smoothness of the automorphism group of (A Ip A)* . For example, if the map x —>x e , 
an automorphism of (7Z IpTL)* , has a small order t , then we can split n with 
gcd{x e ' -x,n). This leads to a requirement that §(p -1), the order of the automorphism 
group, have at least one large factor if p is going to be difficult to remove from n . Simi- 
larly, by considering automorphisms of the group of norm-1 elements in W p i, we see that 
<j>(p+l) should be chosen to have a large factor. 

By properly building primes, the methods of the previous two paragraphs are easy 
to defend against. What appears to be more difficult is constructing a number that resists 
the elliptic curve or class group factorization methods. No one knows how to make the 
smoothness of the groups that occur in these algorithms less likely than the smoothness 
of random numbers of a comparable size. 

A few words should be said here about rigorous analyses of factorization algo- 
rithms. Surprisingly, the best known running time for a deterministic factoring algorithm 
is n i/4+o(i) [Pollard 1974]; this can be lowered to n 1/5+ °( 1 ) if the Extended Riemann 
Hypothesis is assumed [Schoof 1982]. The best randomized algorithm for factoring 
takes expected time L { n )^+°tt) [Vallee 1988], although assuming the ERH, a random- 
ized algorithm related to the class group method has an expected running time of 
L(n) 1+o(1) steps [Lenstra 1987]. 

Contrasted with the variety of factoring algorithms, very little seems to be known 
about direct attacks on the RSA encryption scheme (1.2) or the residue problems (1.3) 
and (1.4). It has been shown that an algorithm to find or guess individual bits of a solu- 
tion to (1.2) could be used to efficiently find complete solutions [Chor 1986], and that the 
cost of obtaining individual solutions to (1.2) can be reduced by accumulating other solu- 
tions [Desmedt and Odlyzko 1986], but no method to attack these problems has surfaced 
that is substantially better than factorization. Unfortunately, we cannot rule out the pos- 
sibility that one exists. 
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Algorithms for discrete logarithms 

The complexity of the discrete logarithm problem depends very much on the group 
considered. The most general algorithms are "canonical" in the sense that they use only 
the group operations; however their running times are exponential. In several important 
cases, though, we know methods with subexponential running times, equal to or better 
than those of the best factorization algorithms. However, these methods require the 
group to be specified as part of a larger structure. 

The baby -step I giant -step algorithm [Shanks 1971] works in any group, as fol- 
lows. Assume that IGI £r 2 , then a solution to g x =a can be written Xq+x^ with 
0<jc ; <r. By computing the 2r elements g x ° and a-g~* 1 ' and looking for a match (one 
can either sort or use hashing), x can be found in roughly I G 1 1/2 steps (the space require- 
ment is comparable; if IGI is known, this can be reduced with a variant of the "rho" 
algorithm [Pollard 1978]). 

This idea can be extended [Pohlig and Hellman 1978] if G is smooth in the sense of 
having a long chain factorization, where I G;/G ; _! I =p : 

\ = G 0 <zG 1 c:G 2 c: ■■■ c:G k = G. 

Then the index x is expressible as X*;/? 1 , 0<X;<p, and via the homomorphism 
Gj — *G\ (raise to the power p' -1 ), computation of the x^s reduces to the solution of k 
discrete logarithm problems in G x . Using the above algorithm, the complexity is roughly 
kJp. 

Finally, assume that the factorization of m = I G I is known: m = II wi; . where the 
mi 's are relatively prime. This induces a factorization of G into groups of relatively 
prime order, and if the m^'s are small we can solve the discrete log problem by going 
counterclockwise around the following diagram: 

G -> TZJmTZ 

I T 

YlGi -» Y\7Llm{ZL 

(to project G into G L , raise to the power m/m; , to go across, solve the problem in each 
group G; , and to go up, use the Chinese remainder theorem). 

By combining the last two algorithms one sees that, except for a factor that is poly- 
nomial in log I G I , the discrete log problem for a p -smooth group is solvable in time 
roughly v/7 . 

In certain groups one can use the index -calculus family of algorithms, which work 
essentially by doing factorization on the left of (2.2) and linear algebra on the right. To 
use these algorithms G must be specifiable in the following way: start with a ring A that 
has unique factorization (or more generally, unique ideal factorization), take the free 
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Abelian group generated by the primes (certain "exceptional" primes may be omitted), 
and form the quotient group modulo a set of multiplicative identities. If G is represented 
as such a group, then factorizations in A lead to identities in G , which can be exploited 
to compute discrete logarithms. An important feature of this family of algorithms is that 
once one logarithm is computed, others can be found relatively quickly (typically in time 
equal to the square root of that needed to compute the first logarithm). 

For example, take G = (TZIpTL)* and A = ZZ [Adleman 1980], For a smoothness 
bound M , roughly M smooth numbers of the form g x will serve to tell us the discrete 
logarithms of all primes up to M . To find them, we try to factor random powers of g 
using primes less than or equal to M ; each successful factorization gives a linear equa- 
tion in ZZ/(p-l)ZZ for the logarithms. The time required to construct this "database" 
can be estimated by taking k = 1 and / = 2 in (3.3), assuming that a subexponential factor- 
ization algorithm and sparse matrix techniques (generalized to finite rings) are used. This 
gives a time of roughly L(py 2 for the first phase of the algorithm. Once this is com- 
pleted, computing the logarithm of a requires one smooth number of the form a -g r ; if r 
is chosen at random, this will succeed after approximately X^ trials, in approximately 
L(p)^ n steps. 

This method can be modified so that it uses smooth numbers near Vp~ rather than 
near p [Coppersmith et. al. 1985]. In the analysis one has to replace p by p 1/2 in the 
above formulas; if this is done one finds that roughly L{p) steps are needed to find the 
logarithms of small primes, and the work per additional logarithm is close to L (p) vl . 

Similar methods are available for IF* when q = 2" (or, more generally, a power of a 
small prime); they have been exhaustively surveyed [Odlyzko 1985]. To study them, one 
needs an analog of (3.3) for polynomials (since elements of IF 2 n are represented in this 
fashion). Calling a polynomial (over rF 2 ) d -smooth if all of its irreducible factors have 
degree at most d, the analogous approximation to (3.2) is 

Pr [ / of degree d is ad - smooth ] = a Va . (3.6) 

Assume that the algorithm requires a collection of m -smooth polynomials, each of 
degree roughly d. Again, the work in assembling them is the size of the collection times 
the work required to test a candidate (estimated as 2 mk ) times the inverse smoothness 
probability X\ Taking X = dlm, and assuming a second phase of complexity 2 ml , the 
total time is 

T = T 1 + T 2 = 2 mk X x + 2 ml (3.7) 
which is minimized asymptotically for m - V(dlogd)/(2£log2), and leads to 

T l + T 2 = M(d) nkl0 * 2 + M(df 2l °z 2,2k (3.8) 
where M{d)=e^ dl ° sd . 

The basic index-calculus algorithm in IF^n first tries to find m -smooth polynomials 
g x which have degree n . Ignoring log factors, roughly 2 m polynomials are needed. Tak- 
ing d =n , k = 1 and / = 2 in (3.8) (the time to factor can be neglected [Berlekamp 1967], 
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and as usual th e line ar equations are sparse), we find the time for the first phase to be 
roughl y M (n) i2lo % 2 , and the time to extract additional logarithms to be about 
A/(Ai) Vlog2/2 . As with (ZZ/pZZ)* , this can be improved by working with smooth polyno- 
mials whose degree is a constant fraction of n [Odlyzko 1985]. 

The asymptotically fastest algorithm for discrete logarithms in W^n is an extension 
of the index-calculus idea that works with smooth polynomials of degree around n 
[Coppersmith 1984]. It requires time roughly K(nf , where K(n) = exp (n^log^n) 
and c = 1.41 ( not the square root of 2!). 

The above algorithms will compute discrete logarithms in W*m when p is small or 
m is 1. Perhaps due to a lack of applications, there are no algorithms known to be 
efficient when both m and p vary. The basic algorithm can be generalized by replacing 
ZZ by a ring of algebraic integers [ElGamal 1986]; this handles TF*m when m is fixed, 
but it is unclear how it can be generalized to take account of all cases. 

One can use the index-calculus method to find logarithms in (ZLInTL)* (this was 
used in Desmedt and Odlyzko's attack on the RSA scheme), but there is a simpler 
approach: just factor the group (by factoring n ), and solve the problem in each group 
separately. In some sense, this is the best possible method, because an algorithm to solve 
arbitrary discrete logarithms modulo n can be used to efficiently factor n . It can also be 
shown that discrete logarithms in (ZZ/p e ZZ)* reduce in polynomial time to discrete log- 
arithms in (ZZ/pZZ)* , via p -adic logarithms [Bach 1984]. The group (ZZ/n 2Z)* does 
have one advantage: we know that the Diffie-Hellman problem (2.3) for this group is 
difficult, if factoring is hard [Shmuely 1985]; this holds in some cases even if the genera- 
tor g is fixed [McCurley 1987]. 

There is also an index-calculus algorithm for the class group of an imaginary qua- 
dratic field of discriminant -A, if the class number h is known [McCurley 1988]. In this 
case, an ideal A is called M -smooth if each prime ideal p dividing it satisfies Np<M 
(the number of prime ideals of norm at most M is roughly the number of ordinary primes 
at most M , by the prime ideal theorem). Each ideal class contains an ideal of norm at 
most VA, and we can attempt to find the indices of all small prime ideals in the group 
generated by g by factoring enough M -smooth ideals of the form g* (factorization of an 
ideal reduces to factorization of its norm in ZZ ), and using linear algebra in TZIhTL. 
Analogously to (3.2), 

Pr[A withNASg is q a - smooth] s a 1/a , (3.9) 

[Hazlewood 1977], so that the asymptotic complexity of the first stage can be found by 
taking q =VA, k = 1, and I =2 in (3.3); it is roughly L(A). To solve g* = A given loga- 
rithms of all small prime ideals requires one smooth ideal (of the form g 7 " A), therefore 
time roughly L (A) 1/2 . 

Discrete logarithms in elliptic curves and abelian varieties have also been con- 
sidered [Miller 1985, Koblitz 1987, Koblitz 1988]. These groups have the advantage that 
the index-calculus algorithm appears not to generalize to them, and if the order of the 
group is properly chosen, the exponential-time algorithms oudined earlier in this section 
can be made very expensive. 
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Since all the discrete logarithm algorithms (except for the baby-step/giant-step pro- 
cedure) require knowledge of the group order, it is worthwhile to summarize how 
difficult this is to compute. For IF*, the group order is just q-l. The orders of the last 
three groups are more refractory. It is known that any algorithm to compute <j>(n X the 
order of (ZZ In ZZ )* , allows one to easily factor n [Miller 1976]; a similar result holds for 
the class number [Shanks 1971], although h(-A) can be computed in roughly L(A)^ 
steps [McCurley 1988]. Finally, although the number of solutions to 
y 2 = x 3 + ax +b(modp) can be found in O(\ogpf steps [Schoof 1985], the degree of 
this bound is too high for the algorithm to be practical. 

Perhaps because the problem lacks the notoriety of factoring, the rigorous analysis 
of discrete logarithm procedures has not received as much attention. The exponential- 
time algorithms are easy to analyze; the index-calculus methods, relying on smoothness, 
are not. However, there are randomized algorithms for discrete logarithms in (TL/pTZ)* 
and IF^n whose expected running times can be proved to be L(py& +o( -V and 
iV /( n )V2io g 2+o(i) ) respectively [Pomerance 1987]. 

In contrast to factorization, there is also not much known about the special cases in 
which discrete logarithms are easy to compute. If the group is smooth, then one can use 
the factorization of the group to advantage as explained above. In particular, taking 
G = (ZZ Ip ZZ )* , discrete logarithms can be easily found if p -1 is smooth. No one 
knows if the smoothness of p+l (or higher cyclotomic polynomials) helps in this case. 

An intriguing unanswered question asks if the complexity of the discrete logarithm 
problem in (ZZ Ip ZZ )* equals that of the factorization problem. More generally, one 
would like to classify these and similar problems into degrees of difficulty; although par- 
tial results along these lines are known [Shallit and Shamir 1985, Woll 1987, Landau 
1988], a complete theory has not yet been developed. 

4. Practical considerations 

From the above discussion, if one wishes to concoct difficult instances of a factori- 
zation or discrete logarithm problem, one must avoid smoothness. In particular, not only 
must the original structure not be smooth, but neither must any related structures have 
this property. Unfortunately, without any good lower bounds on computational complex- 
ity, we are uncertain exactly what structures count as related. In addition, all of the algo- 
rithms discussed in this paper are in some sense algebraic, but this does not eliminate the 
possibility that methods of a more combinatorial nature could be useful. 

In using the heuristic running times developed above, it is important to recognize 
that first-order formulas like (3.3) tend to overestimate running times, often by several 
orders of magnitude. For example, evaluating L (n y 1 ** (the running time of the quadratic 
sieve algorithm with Gaussian elimination) at n = 10 92 gives 3xl0 15 operations, or almost 
a year if an operation takes 8 nanoseconds. However, an actual 92-digit factorization [te 
Riele 1988] took 3 days on an NEC SX-2, a machine whose cycle time is 8 nanoseconds. 
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For factorization and discrete logarithms, it would be useful to have a simple 
' 'second-order' ' theory accurate enough to account for such discrepancies. This has yet 
to be worked out in any detail, but some techniques for improving the estimates can be 
suggested. 

First, although the rough estimate p(X) = X~^ is surprisingly useful for values of 
practical interest (if 5 < X < 10, it overestimates p, by a factor of 4 at most), it is not hard 
to get better estimates. For example, if I; denotes the positive root of e$- 1 = X%, and 
Ei {%) denotes the exponential integral function (that is, the Cauchy principal value of 



[de Bruijn 1951]. This is already quite accurate; when X = 5 the error is only 10%. To 
get more precision, one can replace the integral in the definition of p by an approxima- 
tion such as Simpson's rule and solve for p(X) in terms of "previous" values; this gives 
an iterative scheme from which it is easy to compute p numerically [van de Lune and 
Wattel 1969]. There is also an asymptotic expression for p in terms of elementary func- 
tions (AT X is its dominant factor), but it is not very precise unless X is large. 

From the published data [Schnorr and Lenstra 1984] it appears that the probability 
of smoothness is estimated very well by the Dickman rho-function; this conclusion is 
also supported by the asymptotic theory [Canfield et. al. 1983]. Once one has a good 
method to estimate this function, it is not hard to restore the "missing" log factors in for- 
mulas such as (3.3) and find a good value for X numerically. This has been done at least 
for the continued fraction algorithm [Wunderlich 1985], 

For polynomials over IF 2 , analogs to the Dickman rho-function have been tabulated 
and the running times of various discrete logarithm algorithms worked out [Odlyzko 
1985]. However, much less is known about the accuracy of estimates such as (3.9), 
which give the smoothness probability of ideals in algebraic number fields and therefore 
affect running time estimates for computing discrete logarithms in class groups and 
extension fields of 2Z Ip 7L . 

Of course, one can simply try out algorithms and see how they perform on a variety 
of machines. The most comprehensive such experiments have been performed with fac- 
toring algorithms, most notably using benchmark numbers from the Cunningham project 
[Brillhart et. al. 1983]. For algorithms such as the quadratic sieve that collect many rows 
of a matrix, one expects by the law of large numbers that the running time can be extra- 
polated from the time needed to find a few rows. The elliptic curve and similar algo- 
rithms are more chancy; since only one smooth group is required, there is no reliable way 
to predict when the algorithm will finish. 

Finally, some mention should be made of the parallel versions of these algorithms. 
Algorithms such as the elliptic curve and class group factorization method have a 
straightforward parallelization: give each processor its own group to try. For the qua- 
dratic sieve, much benefit can be gained by using the multiple-polynomial version 
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[Silverman 1987]. This has the theoretical advantage that the residues sieved are smaller 
than those of the unadorned algorithm, as well as the practical advantage that each pro- 
cessor can be given its own polynomial from which to generate values for sieving. This 
was the algorithm that factored the 100-digit Cunningham number (ll 104 + 1)/(11 8 + 1). 
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A Family of Jacobians Suitable for Discrete Log Cryptosystems 
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Abstract. We investigate the jacobians of the hyperelliptic curves v 2 + v = u 29+1 
over finite fields, and discuss which are likely to have "almost prime" order. 

1. The discrete logarithm problem in a finite abelian group A consists in finding for 
given a, b £ A an integer m such that a = mb, if such m exists. In cases when the 
discrete log problem appears to be intractable in A, one can construct certain public 
key cryptosystems in which taking large multiples of a group element is the trapdoor 
function. The first examples of A that were considered were the multiplicative groups 
of finite fields. However, because some special techniques for attacking the discrete log 
problem are available in that case, it is useful to study other sources of finite abelian 
groups. In [6] we investigated the use of the jacobians of hyperelliptic curves defined 
over finite fields. 

In the present article we consider an especially simple family of such curves. We 
first give an algorithm for the group law for this family. Next, we recall how to compute 
the number of points in terms of jacobi sums. In order for the discrete log problem 
to be intractible, we would like the number of points on the jacobian to be "almost 
prime" in the sense of [6]. Some necessary conditions for this are given, and some 
examples are tabulated. 

2. For each positive integer g (the genus) we consider the hyperelliptic curve v 2 + v = 
u 2g+1 defined over the field F p of p elements, where p is a prime not dividing 2^ + 1. 
Let K = F p n. A K-divisor is a finite formal sum D = ^m^P; of iiT-points on the 
curve which is fixed by any a € Gal( KjK). Its degree is £ m,. The finite abelian 
group of A'-points of the jacobian, denoted J(K), is the quotient of the group of K- 
di visors of degree zero by the subgroup of divisors of rational functions (defined over 
K) on the curve. Every element D € J(A") is uniquely associated to a pair of functions 
a, b £ K[u] for which dega < g, degb < dega, and b{u) 2 + b(u) - u 2g+l is divisible by 
a(u); namely, D is the equivalence class of the g.c.d. of the divisors of the functions 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 94-99, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 



95 



a(u) and b(u) — v. The element D of Z(K) is then denoted div(a, b). For more details, 
see [6] and [2]. 

To add two elements div(ai,6i), div(a 2 >&2) £ J(-^Oi one proceeds in two stages. 
First, let d = d(u) be the g.c.d. of the three polynomials a x (u), ct2(w) and 4- 
&2(u) + 1; and choose si(u), S2(u) and 33(11) to be polynomials in u such that d = 
s x ax + 52^2 + s 3 (bi + 62 + 1). Next, set a = a 1 a 2 /t/ 2 and 

6(u) = (3 1 (u)a 1 (u)6 2 («) + s 2 («)a 2 (u)6 1 (u) + 3 3 (ti)(&i(w)*a(u)+u 2,+1 ))M") 

(mod 

In stage 2, if deg a > 3, we replace the pair (a, 6) by the equivalent pair (a' ,b') de- 
fined by setting a'(u) = (u 2 f +1 -6(u) 2 -6(u))/a(u) and 6'(u) = -6(u)-l (mod (a'(u)). 
Since deg a' < dega, successive application of this procedure leads to a pair div(a", b") 
with dega" < g such that div(a",6") = div(ai,&i) + div(a 2 , 6 2 )- This concludes the 
description of the group law in J(A'). 

3. Let g be a fixed positive integer, let J(K) denote the iv-points of the jacobian of 
the curve v 2 + v = u 2?+1 defined over F p , where the degree d = 2g + 1 is prime to p, 
and let N n denote #(J(F p r,)). As explained in [6], the zeta-polynomial Z(T) = Z g (T) 

Z(T) = fl(T-a j )(T-a ) ) 

of the curve v 2 + v = u 29+1 is related to N n as follows: 

N n = f[\l-^\ 2 . 
j=i 

The polynomial Z(T) is computed from the number of F p n -solutions of v 2 + v — u 2g+l 
for n = 1, 2, . . . , g, and the result is as follows (see, e.g., [13]). 

For simplicity, we shall henceforth suppose that d = 2g + 1 is prime. In practice, 
this is the only case we shall be interested in, because of Theorem 4(1 a) below. Let / 
denote the multiplicative order of p modulo d, so that d\p? — 1, and let h denote 2g/ f. 
Let x be a fixed character of F*, of order d, i.e., x(p) — e 2n '^ d for some generator p of 
F* ; . Let rrij, 1 < j < h, run-through a set of representatives of (Z/dZ)* modulo the 
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subgroup {p,p 2 , . . . ,P*}, and let Xj denote the character x™' ■ F° r J = 1, 2, . . . , ft let 
Jj denote the jacobi sum 

Then J, is a complex number of absolute value p-^ 2 , and 

A 

2(T)=n( T/+j i)- 

In what follows we shall suppose that n is prime to /, in which case the preceding 
formula for Z(T) implies that 

ft 

For cryptographic purposes, we wish to choose g and n so that JV n is "almost 
prime" in the sense of [6]. For n prime this means that N n /Ni = Ily=i 1(1 — a ] )/(! — 
Qj)| 2 is prime. Clearly this is possible only if n is prime to /. A second necessary 
condition is that Z g (T) not factor over the rational numbers. The theorem that follows 
describes classes of g which must be avoided, and also a class of g for which Z g (T) is 
irreducible. 

4. Theorem. Let g > 1 be an integer. Then: 

(1) the polynomial Z g (T) factors over the rationaU (a) if d = 2<7 + l is composite; 
or (b) if d = 2g + 1 is prime and either (i) p is a quadratic nonresidue modulo d, or 
else (ii) p has order g modulo d and g is even. 

(2) the polynomial Z g (T) is irreducible over the raiionals if d = 2g + l is a prime, 
g is odd, and p has order g modulo d. 

The proof of this theorem is straightforward, and will be omitted. 

Corollary. For p = 2 and g < 100, the polynomial Z g {T) is irreducible over Q 
for g = 1, 3, 11, 15, 23, 35, 39, 51, 83, 95, 99, and is reducible over Q for all other values 
except possibly for g = 36, 44, 56, 63, 75. 

5. Thus, in order to find examples of almost prime #J(F P »), we must choose g so as 
not to fall in cases (la) or (lb) of Theorem 4, and choose n prime to /. 
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For p = 2, here axe the first few values of g with irreducible Z g (T): 

Zi(T) =T 2 +2 
Z 3 (T) =T 6 - 2T 3 + 8 
Z U (T) =T 22 - 48T 11 + 2048 

Z 15 (T) =T 30 - 6T 2S - 16T 20 -f 352T 15 - 512T 10 - 6144T 5 + 32768 

In the case p = 2 and # = 3, we tested #J(F 2 ") for all primes n < 50, and found 
the following list of all the almost prime cases, i.e., where this number is 7 times a 
prime. (We wish to thank Andrew Odlyzko for verifying primality of the three large 
unfactored integers below, using the Cohen-Lenstra algorithm.) 

n #J(F 2 „) 



2 7-11 

13 7 • 78536756663 

29 7 • 221060 72130 09916 78702 83191 

47 7 • 398227592830903984669824190 47946 0780961207 



6. Remarks. 1. If J is the jacobian of v 2 + v — u d with d = 2g + 1 prime, it is 
not hard to show that d\#3(F p ). This prevents #J(F p ) from being prime for all but 
very small values of p and d (since #J(F p ) ~ p 9 ). However, #J(F JJ )/d ~ p 3 jd may 
be prime. For example, in the first table above, for g = 15, d = 31, p = 2 we have 
#J(F 2 ) = Z 15 (l) = 31 • 853. 

2. For fixed prime p, part (2) of Theorem 4 gives us a source of jacobians over F p 
with irreducible Z g (T): the curves v 2 + v = u d with d a prime = 3 (mod 4) for which 
p is the square of a primitive root modulo d. For fixed p, the frequency with which 
such d occur is given by a (generalization of a) conjecture of E. Artin, according to 
which there is a positive constant probability that a prime d = 3 (mod 4) has p as the 
square of a primitive root. For example, when p = 2 (in which case d = 7 (mod 8), 
since 2 must be a quadratic residue modulo d), the number of d < x with the desired 
property is conjecturally asymptotic to 
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More information about Artin's conjecture can be found in [11, p. 80-83 and 222-225]. 

3. In searching for suitable jacobians of curves over finite fields F p », one can take 
several points of view, (a) One can fix the genus g and the field (i.e., p and n), and let 
the coefficients of the curve's equation vary. One expects, roughly speaking, that as 
these coefficients vary the number of points on the jacobian will be nearly uniformly 
distributed in an interval of the form (p 3 " - cp^ 9 ' 1 ^", p 3 " + cp^~ 1/2)n ). This has 
been studied in detail in the cases g = 1, n = 1, p large (see [8]) and g — 2, n = 1, p 
large (see [1]). 

(b) One can fix a curve with rational coefficients, and consider the jacobian of its 
reduction modulo p (i.e., over F p ) as p varies. In the case g = 1, conjectural formulas 
for the probability that the corresponding elliptic curve has a prime number of points 
are given in [5]. 

(c) One can fix F p (or a finite extension of F p ) and also fix a curve with coefficients 
in that field. One then considers J(F p r> ), i.e., the group of points of J with coordinates 
in a finite extension of the field of definition, which is chosen so that # J(F p ™ ) is "almost 
prime" in the sense of [6]. For this, the curve must have been chosen so that its zeta- 
polynomial Z(T) = T[^Lii'^~ a j) 1S irreducible over Q, i.e., all of the aj are conjugates 
of a = orj. Suppose, for example, that the curve is defined over F p , it has irreducible 
zeta-polynomial, and one considers extensions F p » of prime degree n. In that case 
one is interested in primality of the norm of the algebraic integer (a n — l)/{oc — 1) 
as n varies. This is a generalization of the Mersenne prime problem, and most likely 
the frequency of occurrence of prime values is predicted by a heuristic estimate of the 
same form as in the classical Mersenne case (see [12]). 

The point of view (c) is illustrated in the second table above. 

(d) One can fix the field of definition F p » and examine a family of curves of varying 
genus. This was the point of view in the first table above. Even if p n is small, the size 
of the group of points will grow rapidly with the genus, since it is of order p 9 * 1 . If one 
wants #J to be a prime number or the product of a large prime and a small factor, 
then a necessary condition is that the zeta-polynomial be irreducible. 

One advantage of point of view (d), in addition to the possible desirability of 
having one more parameter to vary (the genus g), is that one can limit oneself to 
curves with special symmetry properties (e.g., the family considered in this report), 
and this seems to make it possible to compute the number of points much more rapidly 
(and also carry out the algorithm for finding multiples of points somewhat faster) than 
in the case of a general curve. 

In conclusion, we recall that, because index calculus type algorithms for finding 
discrete logs in F*„ apparently do not carry over to elliptic curves (see [9]) or hy- 
perelliptic curves, the only known algorithm for finding discrete logs in J(F p n ) takes 
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time roughly proportional to the square root of the largest prime factor in #J(Fj,™). 
Thus, as far as we know, discrete log cryptosystems using J(F p n) seem to be secure 
for relatively small p n (even when p = 2). From the standpoint of implementation, 
this feature may outweigh the added time required to compute the more complicated 
group operation. 
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ABSTRACT 

The goal of this paper is to give a unified view of various known results 
(apparently unrelated) about numbers arising in crypto schemes as RSA, by considering 
them as variants of the computation of approximate L-th roots modulo n. Here one may 
be interested in a number whose L-th power is "close" to a given number, or in finding a 
number that is "close" to its exact L-th root. The paper collects numerous algorithms 
which solve problems of this type. 
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I. INTRODUCTION 

That a tot of public-key cryptosystems or digital signature schemes are based on 
the computation of L-th roots modulo n is today a very well known fact. Roughly 
speaking, and assuming that n is a large integer (say, at least, a 320-bit long one), this 
computation is easy when n is prime or when all its prime factors are known, hard when 
n is composite and its factors unknown. The cryptographic validity of the famous system 
RSA [RSA] (as well as many other systems) is based on this dissymmetry. 

But very often in public-key cryptology, the problem is raised of extracting 
approximate L-th roots modulo n, in a sense that will be stated more precisely in next 
section. As this problem is weaker than the problem of extracting exact L-th roots 
modulo n, we may hope that it will be solved even when the factors of n remain hidden. 
As shown below, that hope is often fulfilled, provided that we do not demand a "too 
good" approximation. 

For example, in the Morrison-Brillhart factorization algorithm [MB], the most 
consuming part is the quest of integers x such that x 2 (mod n) is as small as possible 
(hoping that it is "smooth"), where n is the number to be factored. The continued 
fraction algorithm allows us to find such values of x, but most of the time, x 2 (mod n) has 
still too large factors to be useful. Fortunately, from time to time, one of them is smooth 
enough to be factored in the so-called factor base, and will contribute to discovering a 
factor of n. But this factorization algorithm would become much more efficient if 
another method was discovered, which finds square roots modulo n of still smaller 
integers. 

Another example is provided by Okamoto and Shiraishi's digital signature 
scheme [OS]. In this scheme, the signature of the message m is an integer s such that s 2 
(mod n) is close to h(m) -where h is a one-way hash-function- instead of being exactly 
equal, as in the Rabin scheme (the "square root variant" of RSA). The claimed 
advantage of this scheme was a very fast signature computation compared to the 
computation time necessary tc extract an exact square root modulo n. But Brickell and 
Delaurentis broke the scheme by showing that s can be efficiently computed, even when 
the factors of n are hidden [BD]. Now, it remains an open question: can their attack be 
generalized to the version of Okamoto and Shiraishi's scheme in which the signature s is 
such that s L # h(m) (mod n) with L>4 ? 

This paper aims at collecting the results already established concerning these 
questions and improving them whenever possible. First (section II), we state the 
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problems we are going to deal with. Then (section III), we recall how such problems 
naturally arose in public-key cryptology and briefly indicate how they were solved (or 
not...). Finally (section IV), we describe most of the algorithms sketched in section III, 
generally with enough details to effectively implement them. 

II. THE PROBLEMS 

What do we mean by approximate L-th roots modulo n? In fact, this includes a 
lot of various questions amongst which we will consider the following ones (n, L and yg 
are three given positive integers, with L>2 and y 0 <n): 

Firstly, we wish to find an integer whose L-th power modulo n is close to the 
given integer y Q . We subdivide this problem into three ones: 

(1): Find x such that x L # y 0 (mod n) (no matter where x stands). 

(la): Given Xg such that y 0 = Xg L (mod n), find x # Xg (x = Xg) such that x L # y 0 (mod n). 

(lb): Given Xg, find x # Xg such that x L # y 0 (mod n). 

Secondly, we wish to get some information about an (existing but unknown) exact 
L-th root Xq of the given integer y Q . We subdivide this problem into both which are 
complementary : 

(2a): Find x such that x # Xg. 

(2b): Given x such that x # Xg, find Xg. 

(Note that problems (2a) and (2b) cannot be both efficiently solved with the same order 
of approximation, or there is an efficient algorithm which finds exact L-th roots modulo 
n.) 

Of course, the symbol # may have various significations, upon which depends 
whether the problem is efficiently solvable or not. In order to be more specific, we state 
again the above problems by replacing "x # Xg" with "x = Xg + 0(n a ) (mod n)" and "x L # 
y Q (mod n)" with "x L = y Q + 0(n b ) (mod n)", where a and b are real numbers picked in 
the interval ]0,1[. Note that, if some of these problems are easily solved when prime 
factors of n are known, this knowledge apparently does not help to solve other ones, for 
example (la) and (lb). 
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III. HOW PROBLEMS AROSE 

III-l. Problem (1) and its variants 

As already noted in the introduction, problem (1) was considered by Morrison 
and Brillhart (using an idea from Lehmers & Powers) with L=2 and y 0 =0 [MB]. By 
computing continued fractions of n 1/2 , one obtains values of x such that x 2 (mod n) = 
0(n 1/2 ). But only a few of them are useful to factorize n, because the quadratic residues 
modulo n which are required are generally much smaller than n 112 . Unfortunately, no 
efficient algorithm is known, which solves (1) with b<l/2. On the other hand, we show in 
section IV that continued fraction algorithm can still be used to solve (1) for small 
exponents greater than 2, but with b growing rapidly with L. 

The case {L=2; any y^ was solved by Brickell and Delaurentis [BD], when they 
cryptanalysed Okamoto and Shiraishi's signature scheme [OS]. In this scheme, the 
signature of the message m (or rather of its hashed version h(m)) is an integer s, not too 
small in absolute value, and such that s 2 (mod n) = h(m) + Oin 2 ®). The public modulus n 
of the signer is in the form n=p 2 q (p and q distinct primes), because this permits a very 
fast computation of s when p and q are known, which was the claimed advantage of this 
scheme. Unfortunately for it, Brickell and Delaurentis showed that s can be computed 
with the same efficiency without knowing the factors of n and no matter what form n 
takes! We will see that their method can be easily extended to any exponent b greater 
than 1/2 (hence solving the problem (1) for L=2, y Q =0 and b>l/2). Moreover, it solves the 
variant (lb) with L=2 and b>l/2, but only if a+b/2>5/4. The Brickell and Delaurentis 
method can also be used for L=3 [BO] but does not seem to work for L>4. 

One year later, the cryptanalysis of some hash-function using modulo-n 
operations due to Davies and Price is reduced in [G] to solving (la) for L=2 and 
a=b=7/8. First, the problem is linearized by putting x = Xg + u. It can then be stated as 
follows: find a "very small" u such that 2ux 0 # 0 (mod n). Now, the equation 2ux Q = v 
(mod n) with small unknowns u and v is solvable by developing 2Xg/n in continued 
fractions, i.e. by applying the extended Euclid's algorithm to the integers 2Xg and n. As 
the solutions provided are shown to be such that |uv|<n, the problem (la) appears to be 
solved for L=2, a+b>l and b>2/3. 

Does this last method allow us to solve (lb) (and consequently the problem (1) 
itself) for the same values of L, a and b? In this case, since we have no more y 0 = x^ 2 
(mod n), we are led to an "affine" problem rather than a linear one; explicitly: find a 
very small u such that 2uXg # z 0 (mod n), where z 0 = x Q 2 -y 0 (mod n). In [OS], is 
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presented a variant of Euclid's algorithm which allows to do that. Ironically enough, 
Shamir used it to give another cryptanalysis of the OS signature scheme discussed above 
and presented in the same paper, as well as the cryptosystem proposed one year after by 
Okamoto in [Ol]! 

Recently, the authors have described in [VGT1] (or [VGT2]) a different 
technique powerful enough to solve also variant (lb) for L=2, a+b>l and b>2/3. First, the 
problem is linearized as above. Then, the linear equation (E): 2uXq = v (mod n) is 
interpreted as the equation of the integer lattice R spanned by (1,2Xq) and (0,n). This 
point of view allows us to transform the problems into lattice ones ("find a short vector 
in R" or "find a point of the lattice close to a given point"), for which algorithmic 
solutions are known in all dimensions, based on the T IT , basis reduction algorithm 
[LLL]. Moreover, this method can be refined in order to find x in a "quasi-uniform 
way", leading to a factorisation algorithm [V] whose proven complexity is smaller than 
Dixon's one [D]. 

III-2. Problems (2a) and (2b) 

Problem (2a) with L=2 was first solved by Blum, Blum and Shub [BBS], when 
they analysed the left-unpredictability of the so-called x 2 (mod n) generator. In their 
paper, n is a Blum integer so that the mapping "squaring modulo n" is a permutation 
over the set of quadratic residues modulo n. So, by working in this set, the square root of 
a quadratic residue is defined in an inambiguous manner. It is shown in [W] that the 
location of Xq (equal to 0 if x 0 <n/2, 1 if not) cannot be guessed, even with a very small 
advantage, unless factoring is easy. It follows that (2a) with L=2 is not efficiently 
solvable for any a<l since even the location of Xg cannot be found. 

The same problem is solved for all the L which are coprime to phi(n) -the RSA 
context- by (first) Goldwasser, Micali and Tong [GMT], then many others until Alexi, 
Chor, Goldreich and Schnorr [ACGS], when they studied the security of the RSA bits. It 
can be proved that the location of x Q cannot be guessed, even with a small advantage, 
unless inverting RSA (i.e. finding x Q in full) is easy. 

The problem (2b) has been partly solved by Shamir when he cryptanalysed the 
first version of Okamoto's cryptosystem [Ol]. In this cryptosystem, the public modulus n 
is in the form n=p 2 q, as for Okamoto and Shiraishi's signature scheme. Moreover, the 
public key contains another integer x, itself of a very particular form. With the notations 
of (2b), Xg-x plays the role of the plaintext and y Q is the ciphertext. Shamir found two 
cryptanalysis for this system. The first one, based on the OS-variant of Euclid's 
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algorithm, does not make use of the form of n but is valid only for L=2. The second one 
works for any L but does make use of the particular form of n and x. At this stage, the 
problem (2b) appears to be solved for {L=2, a_<l/3} and only in very particular cases if 
L>2. 

In [VGT1], the authors, using the lattice technique already mentioned in section 

III. l, specify an efficient algorithm solving (2b) for {L=2, a_<l/3} and more generally for 
any reasonably small L, sufficiently large n and sufficiently small a (in the order of about 
1/L 2 ). So, an L-th root modulo n can always be calculated, if we are given a sufficiently 
good approximation of this root. Moreover, the technique is general enough to apply to 
other types of approximations, such as used in the second version of Okamoto's 
cryptosystem [02]. This version hence appears to be broken too. 

These results have incidences on the predictibility of congruentiel pseudo- 
random generators. In particular, the truncated x 2 (mod n) generator, obtained by 
removing the 1/3 least significant bits of the sequence, is right-predictible (in a sense 
section V will make clear). 

IV. THE ALGORITHMS 

We now describe the algorithms with more details. Frow now on, n is a positive 
integer and Z(n) denotes the ring of the integers modulo n that we identify with the 
interval of length n centered at 0. For any u in Z(n), |u| denotes the absolute value of u, 
i.e. the maximum of u and -u (for example, |21 (mod 25)|=|-4|=4). 

The symbols x, Xq, y, y 0 , u denote elements of Z(n) whilst a and b denote real 
numbers in ]0,1[. The notation 0(f(n)) stands for any function g(n) such that |g(n)| <_ 
kf(n) for some integer k and any sufficiently large n. 

For L a positive integer, we ask if the equation: 

x L = y mod n (E) 

admit solutions (x,y) which satisfy some closeness requirements, and if we can discover 
them. For example, can we find (x,y) such that x is "close" to a given integer x„ and y 
"close" to another one y 0 ? Or without conditions on x but such that y is exactly equal to 
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Of course, we can (and will often have to...) reduce our ambitions and claim our 
satisfaction if we succeed in inferring some partial information about such solutions, or, 
conversely, if some additional information about these solutions permit us to recover 
them entirely. The most famous case is the computation of an exact square root modulo 
n (n a large integer), where two extreme situations are possible. Either the factors of n 
are known and such a computation is child's play; or they are hidden and we can infer 
almost nothing about the solution. 

It must be noticed that most of the algorithms which are presented below do not 
work for all the values of their inputs. Only in some cases (e.g. algorithms VGT1 and 
VGT2), the set of values for which they fail has been carefully analysed in the original 
papers. But the fact they provide solutions most of the time is satisfactory enough for 
cryptologic applications. This is particularly true for cryptanalytic ones, which only 
require that the algorithm work for a non-negligible fraction of the input values. 

IV-1. Finding roots with small residual 

IV-1.1. Without conditions for x 

We first consider the problem of finding solutions of (E) where y is close to y Q : 
Pb (1 ): Given n, L, b and y 0 , find x such that |x L - y 0 (mod n)j_< 0(n b ). 

Of course, if b is big enough, there is a straight-forward way of finding some of 
them, which consists in detecting the elements of [y 0 -0(n b ),y 0 +0(n b )] which are true L-th 
powers (as opposed to L-th powers modulo n) of an integer x. For instance, if L=2 and 
b>l/2, x=[y 0 1/2 ] (where [z] denotes the closest integer to the real number z) is a trivial 
solution of our problem since: 

x 2 = (y 0 w + B) 2 with |6(<l/2 

= y 0 + 2By 0 V2 + 8 2 ==> |x 2 - y 0 | <_y 0 in + 1 < n ia <_n b . 

In case b is a little bit too small and [y 0 -0(n b ),y 0 +0(n b )] does not contain true L-th 
powers, other intervals [y o +kn-0(n b ),y o +kn+0(n b )J can be tried, for k=l,2,.... Solutions 
which are found in this way may be considered as trivial ones. As they are necessarily 
small, with the same order of magnitude of n 1/L , we may define trivial solutions of (1) as 
solutions x = 0(n UL ). It may occur that the algorithms which are presented below 
provide trivial solutions, but they (generally) provide also non-trivial ones. 
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The quadratic version (L=2) of Pb (1) has been solved in the general case by 
Morrison and Brillhart for y 0 =0 [MB]. They find approximations in the order of 
magnitude of a V2 . More precisely: 

Algorithm MB 

*Input: n 

*Output: some x such that |x 2 (mod n)\<_2n m 

"Method: develop n 1/2 in continued fractions; call x.fi j the convergents of n 1/2 ; 
output the x r 

*Proof: from a well-known inequality of continued fractions theory, we have: 

l^-xAj^i/Cy^) 

then: 

k^xAilji 21^+1/0^) 

|n-x i ^|^2n 1/2 /(y j y itl ) + l/(y i y itl ) 2 

lYi 2 " " x i 2 l_L 2nW y/yi*i + l fy\+i 2 ± 2nl12 == > |x i 2 (mod n)[<2n 1/2 . 

"Remark: when the periodicity of the development of n m is small (for example 
if n=m 2 +l), this algorithm only provides trivial solutions; if not, there may be a 
lot of (non-trivial) solutions. 

We now show that the MB idea can be extended to small exponents other than 2, 
but with less efficiency because only first convergents have a good chance to lead to 
success : 

Algorithm MB' 

"Input: n, L (small integer = 0(log n) and _>3), S (real_< 1/L) 
"Output: nothing or some x such that |x L (mod n)|_< Ln (L " iyL+a 

"Method: develop n 1/L in continued fractions; call x.]y. the convergents of n 1/L ; 
output the x until (say) y>n 3/(1 " 2) . 

"Proof: from |n 1/L - Xj/yJ _< l/(yy- t ) we deduce: 

n (L-i)/L + n (L-2yL (x ^ + m + n i/L( x ^.)L-2 + (Xj/y.) 1 " 1 ^ Ln^V 1 - + LV^^/y.y^ 
then: 

|n - x.^\ .< Ln^/Cy^) + Lhi^/(y.y M ) 2 
hence: 

l^hi - Xj L | ^Ln^^^fy^ + L 2 n^ 2 ^ L -%^ z ^Ln^ 1 ^ 2 
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(because the second term of the sum is easily shown to be smaller than 
Ln(L-i)/L(y L-2_y L-iyy^ except perhaps in some very particular cases) 
finally: 

| Xj L (modn^Ln^- 1 ^. 

But continued fractions do not seem to help in solving the problem when y 0 is 
non zero. In [BD], Brickell and Delaurentis describe an algorithm which solves the case 
{L=2; any y 0 } with b=2/3 (i.e. approximations of n 2 ' 3 ). But, as their original algorithm can 
be easily extended to b=l/2+e, for 0<e<l/2, it appears to be almost as efficient than 
algorithm MB, and much more general. 

The idea is the following one: not only [y 0 1/2 ] is a solution of Pb (1) but also k[z 1/2 ] 
where z = y 0 k" 2 (mod n), for any positive integer k<n e/2 , as shown in the proof below. 
These new solutions are not trivial ones but are in 0(n m * ca ). In order to find solutions 
of any magnitude, Brickell and Delaurentis proceed as follows: 

Algorithm BD 

*Input: n, y y e (0<e<l/2) 

*Output: some x sucn that |x 2 - y 0 (mod n)| = 0(n v2+< ) 

"Step 1: find k (coprime with n) and x' such that k=0(n e/2 ) and 2kx' (mod n) = 
0(n e ); 

*Step 2: calculate y = y 0 - x' 2 (mod n) 
z = yk" 2 (mod n) 

t = [z 1/2 ] = z m + 6 with |8[<l/2 ; 

*Step 3: output x = x' + kt. 

*Remark: for step 1, it suffices to choose x' in one of the intervals I i centered 
in [ni/2k] of radius [n e /2k]. 

*Proof. in a straightforward manner (all the equalities standing modulo n): 
x 2 = x' 2 + kh z + 2kx't 

= x' 2 + k^z^+B) 2 + 2kx't 

= x' 2 + kh + 2kh m B + k 2 6 2 + 2kx't 

= x' 2 + y 0 - x' 2 + 2k 2 z 1/2 6 + k 2 B 2 + 2kx't 

= y 0 + 0(n w *«) +0(n e ) + 0(n 1/2 - e ) 

= y 0 + O(n^-) 
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Does algorithm BD extend to L_> 2 ? One can remark that the above proof does 
not work for L=3, except if one makes some very particular choices, namely : x' = [n/3] 
and k = 1. Then, choosing y = y Q - x' 3 (mod n) and t = nearest integer to y w divisible by 3, 
leads to success for b = 2/3; details may be found in [BO]. For L>4, the method does not 
seem to work at all. 

IV-1.2. With conditions for x 

We now come to algorithms which not only solve Pb (1) but provide solutions 
which are themselves close to a given integer x Q . This new problem can be subdivided 
into two subproblems. In first one, Pb (la), y 0 is nothing but the L-th power of x^; in 
other words, we have to find a solution (x,y) of (E), close to another already known 
solution. In second one, Pb (lb), y 0 and x Q are any two elements of Z(n). It is clear that 
this last problem is harder than both Pb (1) and Pb (la). Note also that knowledge of 
the factors of n completely solves Pb (1) but does not seem to help to solve Pb (la) and 
Pb (lb). 

Pbjla): Given n, L, a, b, Xg and y 0 such that y 0 = x 0 L (mod n), find x = x Q such that |x - Xgl <_ 
0(n a ) and |x L - y Q (mod n)| ^.0(n b ). 

Pb (lb) : Given n, I_ a, b, Xq and y 0 , find x such that |x - x Q | jf.O(n a ) and |x L - y 0 (mod n)j _< 
0(n b ). 

First, a closer look at BD-algorithm shows that it solves (but not very well) 
Problem (lb): 

Al gorithm BP ' 

'Input: n, Xq, y 0 , a, b (s.t. a+b/2>5/4 and b>l/2) 

"Output: some x such that |x -x Q | <_ 0(n a ) and |x 2 - y 0 (mod n)|_^0(n b ) 

*Method: as in algorithm BD with e=b-l/2, by choosing k close to n e/2 and x' in 
the interval I t which is the closest one to Xq . 

*Proof: the distance between two consecutive intervals I ( and I. tl , defined in 
the remark of algorithm BD, is smaller than n/2k = 0(n 1 " e/2 ). 

Better solutions to Pb (lb) are obtained by linearizing it, as will be explained in 
subsection IV. 1.1.2. Beforehand, we have to make a digression into Euclid's algorithm 
and some of its extensions. 
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IV-1.2.1. A. Euclidean digression 

We consider here the equation: 

dx = y (mod n) (E') 
where d is a positive integer smaller than n, and ask if there are solutions (x,y) close to a 
given pair (x^): x = Xg + 0(n a ) and y = y 0 + 0(n b ) . 

Let us start with the case Xq = yg = 0. It is proven in [DC] (or [G]) that such 
solutions certainly exist if a+b = 1. More precisely, for any pair (X,Y) whose product is 
greater than n, there is at least one solution (x,y) such that |xj<X and |y|<Y. In order to 
discover it (or them), it is useful to remark that finding small (x,y) satisfying (E') comes 
to finding a good approximation of the fraction d/n. So, here again, we (almost) always 
find such a solution by developing it in continued fractions i.e. applying Extended 
Euclid's algorithm to d and n: 

Al gorithm EE 

*Input: n, d, a, b (s.t. a+b>l) 

*Ouput: nothing or some x such that |x| <_ n a and |dx (mod n)| _< n b 

*Method: apply Extended Euclid's algorithm to n and d; one obtains 
coefficients I and m ; such that l.n + nxd = r where the r are the successive 
remainders (the last non-zero remainder being equal to the greatest common 
divisor of n and d); output the smallest (in absolute value) m ; such that n 1_b ± 
|m i<4 | (the case "such a m i does not exist" is very rare). 

*Proof. the fractions ll/mj = -l/nr are in fact the convergents of the 
development of d/n in continued fractions; hence: 

| d/n + L/nijl <_ 1/lnvm^J ==> jdnr + nlj _in/|m Rl | ==> |dm. (mod n)| <_ n/lrn^J 
n b . 

Moreover, |mj _< n 1_b _<_n a since a+b >1. 

Now, what happens if Xg and y 0 are non-zero? Of course, it is enough to solve the 
problem for = 0 and any y 0 (if x Q is not equal to zero, it suffices to replace y 0 with y 0 - 
dx 0 (mod n)). Okamoto and Shiraishi provide in [OS] an extension of Extended Euclid's 
algorithm which very often solves this problem. We hope that we do not deform it too 
much by presenting it as follows: 



111 



Al gorithm OS 

'Input: n, d, a, b (s.t. a+b>_l), y 0 

*Ouput: nothing or some x such that |xj _<_n a and |dx - y 0 (mod n)| <_n b 

'Step 1: apply Extended Euclid's algorithm to d and n (as in algorithm DC); 
*Step 2: introduce a sequence y whose first term is y 0 and following ones are 
defined by: y ; = y H - q'x where qV is the quotient in the division of y K by r t ; 
'Step 3: introduce also the sequences h. and k ; whose first terms h Q and 1^ are 
zero and following ones are defined by: h t = h H + q'.lj and kj = k H + q'^; 
"Step 4: output k ; such that n 1_b <Jkj| _f_n a (mind: its existence is questionable, 
especially if a+b is close to 1). 

'Proof: From: Ln + m ; d = r^ we easily deduce: 
r^n + k,d = h..,n + k^d + (y M -yj); then : 

h t n + k,d = 0 + (y 0 - yi ) + (y f y 2 ) + .... + (y^-y,) = y 0 - y, ==> k ; d (mod n) = y 0 - y.. 
Moreover, when it can be shown that IkJVj < n (it is very often the case), we 
have : |kj_> n 1_b ==> y^n 13 . 

IV-1.2.2. Come back to our problems 

In [G], one of the authors shows that the quadratic version of (la) can be solved 
with a+b>l and b>2a (which is equivalent to: a+b>l and a^l/3 or: a+b>l and b>2/3). The 
idea consists in reducing the problem to a linear one by taking advantage of the fact we 
already know a solution of (E) : 

Al gorithm G 

'Input: n, a, b (s.t. a+b^l and b>2a), x^ y 0 (s.t. y 0 = x,, 2 (mod n)). 

'Output: nothing or some x such that 0 <|x - <_n a and |x 2 - y 0 (mod n)| jf.2n b ) 

'Method: perform algorithm EE with inputs n, 2Xq, a, b; output x = x Q + nr. 

'Proof: x 2 = (Xg + m^ 2 = x Q 2 + m 2 + 2m i x Q 2 (mod n) 
= y 0 +m 2 + 2m j x 0 (mod n) 
We know from previous section that: ^nxXg (mod n)| _^n b . 
Moreover, |m.|_<_n a ==> m 2 _f_n 2a <_n b since b^2a. 
It follows that |x 2 - y 0 (mod n)j <_ 2n b . 
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Let us now consider Pb (lb). If, in algorithm G, we substitute algorithm OS to 
Euclid's one, we obtain a new algorithm that Shamir used to cryptanalyse OS signature 
scheme: 

Al gorithm SI 

*Input: n, a, b (s.t. a+b>l and b>2a), Xq, y Q 

*Output: nothing or some x such that |x - x Q | _< n a and |x 2 - y 0 (mod n)| <_ 2n b 

*Method: perform algorithm OS with inputs n, 2Xg, a, b, z Q = y 0 - Xg 2 (mod n) ; 
output x = Xg + k r 

*Proof. x 2 = (Xg + k ; ) 2 = Xg 2 + k 2 + 2k i x Q (mod n) 

We know from previous section that, very often: |2kXg - z Q (mod n)| <_ n b . 
Moreover, |kj ^n a ==> k 2 ^n 23 <_ n b , since b>2a. 
It follows that |x 2 - y 0 (mod n)| <_2n b . 

Another point of view has been recently considered by the authors in [VGT1 or 
2]. Using the theory of lattice basis reduction, they present an algorithm which solves Pb 
(lb) in the same conditions as algorithm SI but is more adapted to generalizations (see 
IV.2). The starting point is identical: we want x = Xg + u, and x 2 (mod n) = y 0 + v with u 
and v small. These two equalities imply: 2uXg = z Q + w (mod n) with z Q = y 0 - Xg 2 (mod n) 
and w = v - u 2 (mod n). But the set of vectors (u,u') such that 2uXg = u' (mod n) may be 
seen as the lattice R(Xg) spanned by vectors (l,2xj and (0,n). If we find a point (u,u') of 
R(Xg) close to (CZg) in that u = 0(n a ) and u' = z Q + 0(n b ), then v = w+u 2 = 0(n b ) + Ofr 2 *) 
= 0(n b ), since b^2a, and the problem is solved. We now see how to find such a point 
(u,u'): 

Algorithm VGT1 

*Input: n, a, b (s.t. a+b>l and b>2a), Xg, y 0 

"Output: nothing or some x such that [x - x^j jf.O(n a ) and Ix 2 - y 0 (mod n)| <_ 
0(n b ) 

*Step 1: consider the lattice M(x Q ) spanned by vectors (k^k'Xg) and (O.k'n) 
where k = [n^ a ] and k' = 1/k. 

*Step 2: use LLL algorithm [LLL] to find a point (t,f) of M(Xg) very close to 
the point (0,k'z Q ) with z Q = y Q - x Q z (mod n). 

*Step 3: output x = Xg + t/k (mind: its existence is questionable, especially if a+b 
is close to 1). 
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''Proof, let e = (a+b-l)/2. Except in some exceptional cases (see details in 
[VGT1]), the shortest vector of the lattice M(x 0 ) is not too small, of length _> 
n 1 ^. The lattice theory tells us that any ball B(P,r) with r > (2H 2 ) 1/2 n 1/2+e , 
where is Hermite's constant in dimension 2 (for definition see e.g. [LLL] or 
[VGT2]), contains at least one point of the lattice. Moreover, LLL algorithm 
(i.e. Gauss' algorithm in dimension 2) allows us to find such a point, say T(t,t'). 
Let P be the point (0,k'z 0 ). Since the distance between T and P is smaller than 
r, we have |t| and |t'-k'z 0 | <_ (2H 2 ) 1/2 n 1/2 * e . It remains to put u=t/k and u'=t'/k' 
(remark that u and u' are necessarily integers). Then: |u| <_ (2H 2 ) 1/2 n 1/2 ' , ' e n (a ' b)/2 <_ 
0(n a ) and |u'-zj <_ (2H 2 ) 1/2 n 1/2+e n( b " a > /2 J < 0(n b ), the inequalities we wanted. 

IV-2. Finding something about exact roots 

We now consider the problem of finding Xp, an exact L-th root modulo n of a 
given integer y 0 . Here again, there are situations in which the problem can be considered 
as trivial: when y 0 is a true L-th power or when factorization of n is known. At the 
opposite, the problem is specially hard in almost all other cases, since one (presently) 
does not know how extract L-th roots modulo n without factors of n. Between these two 
extreme situations, we may consider intermediary ones. First, can we at least infer some 
partial information about where stands Xq? Or, on contrary, if we are given some 
information about location of Xq, can we recover it entirely? 

IV-2.1. Inferring some partial information about location of 

We first consider the following problem: 

Pb (2a) : Given n, L, a and y 0 (known to be the L-th power modulo n of an integer x Q ), 
find x such that |x - j< 0(n a ). 

This question has been widely discussed between 1982 and 1984, since it is 
related to security of RSA (or Rabin) bits [BBM],[GMT],[VV],[ACGS]. The conclusion 
was that Pb (2a) has definitely no solution at all, even when a is very close to 1 (we refer 
the reader to the introduction). 

IV-2.2. Finding Xg with some help 

Let us come now to our last problem: 

Pb (2b) : Given n, L, a, y 0 (known to be the L-th power modulo n of an integer Xg), and x 
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Pb (2b) : Given n, L, a, y 0 (known to be the L-th power modulo n of an integer Xg), and x 
such that Jx - Xq|_< 0(n a ), find Xq. 

In [02], Okamoto presents an algorithm due to Shamir which solves the 
quadratic version of this problem (it is the little sister of algorithm SI): 

Algorithm S2 

•Input: n, y„, x (s.t. |x - jcj <_ 0(n w )) 
•Output: nothing or Xg 

•Method: apply algorithm OS to n, 2Xg, 1/3, 2/3, z 0 = x 2 - y 0 (mod n) ; output x 
= Xg + kj for kj # n w ; check that y 0 = Xg 2 (mod n). 

•Proof: let x = Xg + u; then 2x Q u = z Q - u 2 (mod n) and we are reduced to finding u 
= 0(n 1/3 ) such that |2XgU - z Q (mod n)| ^Oin 2 ®). Such an u is likely to be one of 
the kj close to n 173 , provided by algorithm OS. 

In [VGT1], the authors, using the lattice technique inroduced in IV- 1. solve Pb 
(2b) for any (reasonably small) L and a in the order of about 2/L 2 . We only state here a 
weak version of this result (more generally, Xg can be found even if y 0 is not exactly 
known, provided the approximation on y 0 is in the order of about 2/L) and we suppose n 
square-free for simplicity: 

Algorithm VGT2 

•Input: n (square-free), a=2/[L(L+l)], y v x (s.t. |x - xj_^0(n a )) 
•Output: nothing or Xg 

•Sketch of the method: similar to algorithm [VGT1] (but mind: now x is known 
and Xq is the unknown!). 

•Sketch of the proof : similar to VGT1; the property used here is the following 
one: if the shortest vector of M(x) is not too small, of length >_ n yL ~ e , then the 
ball B(P,r) with r < vP JL ~ e ' i l2 contains at most one point of the lattice. This 
point is found, if it exists and lies in a slightly smaller ball, by LLL algorithm. 

To be more explicit, let us consider the case L=3. In that case, the lattice 
R(x) is the one spanned by the vectors (1A3X 2 ), (0,l,3x) and (0,0,n) and the 
lattice M(x) is obtained by multiplying the first (resp. second, resp. third) 
coordinate by k (resp. k', resp. k") such that kn a = k'n 2 " = k"n b and kk'k"=l. 
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The general result of [VGTl] can interestingly be applied to pseudo-random 
number generators (PRNG). Consider for example the case L=2 (hence a=l/3) and the 
sequence : s j+1 = S; 2 (mod n) where s 0 is a secret seed. Let t x be the number obtained by 
removing the [(log^n)/^] least significant bits of for i>l. It results from [VGTl] that 
this PRNG is not secure, since we can recover Sj and s 2 (hence all the Sj, hence all the tj!) 
from t a and t 2 . 

V. CONCLUSION 

We have shown how various known algorithms may be considered as variants of 
the computation of approximate L-th roots modulo n, and have given a unified 
description of all these (often revisited) algorithms. Except for the most complicated 
ones, for which given references should be consulted, enough details are provided to 
implement them. 

On the way, we have unproved or extended some of these algorithms (see 
algorithm MB', extension of algorithm BD to any small exponent e, algorithm BD', and 
"new look" of algorithm OS). 

Some questions remain open amongst which we point out: 

1) can we solve x L # y 0 (mod n) for L>4 with an approximation on y of order n 273 (this 
problem is related to generalized Okamoto-Shiraishi signature scheme) ? 

2) can we solve x 2 # y 0 (mod n) with an approximation on y of order less than n m (this 
problem is related to Morrison-Brillhart factorization algorithm) ? 

3) can we solve x # and x 2 # y 0 (mod n) with an approximation on x and y of order n m 
(this problem is related to quadratic congruentiel pseudo-random number generator) ? 
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Abstract 

Based on an idea by Hin, the method of obtaining the original message after 
selecting k of n coordinates at random in the McEliece public-key cryptosystem 
is improved. The attack, which is more efficient than the attacks previously 
proposed, is characterized by a systematic method of checking and by a random 
bit swapping procedure. An optimization procedure similar to the one proposed 
by Lee and Brickell is used to improve the attack. The attack is highly suitable 
for parallel and pipelined implementation. The work factor and the values, 
which yield 'maximum' security for the system are given. 

It is shown that the public-key can be reduced to k x (n — k) bits. 

1 Introduction 

At Crypto'87 Adams and Meijer [1] presented a paper in which the 'optimum' values 
for the parameters of the McEliece public-key cryptosystem [9] are given. As shown 
in [1] these values improve the cryptanalytic complexity of the system and increase 
the information rate. As noted in [4,9] there are several ways of attacking McEliece's 
cryptosystem. Of the known attacks, the one which requires the least effort is based 
on decoding a more or less arbitrary linear code containing correctable errors. It 
has been proved in [2] that the general decoding problem for linear codes is NP- 
complete, so one certainly expects that for sufficiently large code parameters, the 
minimal effort for this attack will become computationally infeasable. The best 
known attack is based on selecting and solving k of n equations obtained from the 
(publicly known) encryption matrix and the cryptogram. Thereafter it is necessary 
to verify whether the obtained solution is unique and gives the correct plaintext. 
If the solution is not correct, then a new set of k equations has to be selected etc. 
For the attack it was shown in [1] that for a suitable choice of the parameters this 
minimal effort can be maximized. 

This paper gives an improved method to obtain the original message after se- 
lecting k of n cryptogram bits. A bit swapping procedure is used to randomly renew 
the set of fc-bits one bit at a time. A fast validation wether the selected fc-bits are 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 119-131, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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error-free and the corresponding columns of the publicly known encryption matrix 
are linearly independent is part of the algorithm. 

At the same time when this paper was accepted for presentation at Crypto'88, 
Lee and Brickell [7] presented an elegant attack on the McEliece public-key cryp- 
tosystem at Eurocrypt'88. Their attack is based on a generalization of two well 
known attacks and includes a systematic method for checking whether the obtained 
message agrees with the original message and is closely related to our attack. 

Sections 2 and 3 describe the public-key cryptosystem and some well known 
attacks on this system. Section 4 discusses the basics of the proposed attack in- 
cluding the way of validation. The algorithm, based on a bit swapping procedure, 
is subsequently given in the next section. Section 6 considers in more details the 
bit swapping procedure. In section 7 the work factor is discussed and in Section 8 
an optimization similar to the one proposed by Lee and Brickell is used to improve 
the attack. Finally we note in Section 9, that the public-key can be reduced to 
fc x (n — k) bits without affecting the security of the system. 



2 McEliece's Cryptosystem 

The McEliece public-key cryptosystem can be easily understood from the following 
description. Let C be a linear [n, k,d] code over GF{2) with code length n, dimen- 
sion k and minimum distance d. Let the k x n matrix G be a generator matrix of 
C and let the {n — k) x n matrix H be a parity check matrix of C. The publicly 
known encryption matrix E is denned by 

E = SGP, (1) 

where S is a fc x fc non-singular binary matrix over GF{2) and P is an n x n. 
permutation matrix. The scheme also uses a subset Z of GF(2) n with the property 
that the Hamming weight wh(z) of the vectors z £ Z is less or equal than t = 
{d - l)/2. Generally w H {z) = t. 

A fc-message rn is encrypted into the n-bit ciphertext e as follows 

e = mE + z = c + z, (2) 

where c is a n-bit permuted codeword from C . 

Decryption is straightforward. An enciphered message m is formally decrypted 
by the following steps. 

1. Compute e' = eP T and obtain the error pattern z' = zP T 
Let £' = £'- z'. 

2. Calculate m = m! x S~ 1 , where m' represents the first fc-bits of c' . The result 
is the plaintext m. 
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This encryption scheme must satisfy the properties introduced by Dime and 
Heilman [3] to become a public-key cryptosystem. Therefore the decryption process 
must be fast if the private-keys S, P and G are known and the decryption process 
must be infeasible if only the public-key E is known. Furthermore the encryption 
process must be fast if one has only knowledge of the public-key E. McEliece based 
his cryptosystem on the existence of Goppa codes, which meet the conditions for a 
public-key cryptosystem and can easily be generated. 

We note that Goppa codes are in general not maximum distance separable codes 
(MDS). The only binary MDS codes are the trivial ones which are of no use in the 
(binary) McEliece scheme. More details about Goppa codes can be found in e.g. 
[8]. 

3 Cryptanalysis of the McEliece Cryptosystem 

In this section we will discuss some general and well known attacks on the McEliece 
scheme. We shall not pay attention to special cases for which fast cryptanalysis 
exist. 

3.1 Factoring the encryption matix 

Let G, denote the generator matrix G in systematic form and let the encipher matrix 
E be SG,P. The number of non-singulier matrices S is given by 0.29 x 2 k * . There 
exist approximately 2 mt /i generator matrices G, for a binary irreducible f-error 
correcting Goppa code. And there are n! possible permutation matrices. Moreover 
as shown by Adams and Meijer [1] the only transformation which transforms the 
encryption matrix E into a generator matrix G which algebraic structure allows us 
to use a fast decoding algorithm, is the original transformation i.e. G = 5 _1 jSP _1 . 
Therefore we may conclude that for sufficiently large parameters it will be infeasible 
to obtain the private-keys 5, G and P by an exhaustive search. 

3.2 Recover message from cryptogram and encryption ma- 
trix 

McEliece states in [9] that probably the most promising attack on his scheme con- 
sists of actually solving the basic problem, i.e. decoding a more or less arbitrary 
[n,k,d] linear code containing t correctable errors. As it has been proved that the 
general decoding problem is NP-complete [2], one certainly expects that for large 
code parameters this attack will be infeasible. 

A straightforward approach is based on a brute force distance search; comparing 
the cryptogram e to each permuted codeword c = mE. If the Hamming distance 
result is: dn(e, c) < t, then m is the original message. However this method has 
a work factor of about 0(2 k ). For k = 654 this becomes 2 654 % 10 197 , which is 
astronomically large. 
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Another approach is based on a brute force search for a correct syndrome. Let 
D be the matrix HP. Clearly ED T = 0. Find an error vector z with minimum 
weight for which §_D T = zD T . However, it seems to be necessary to search through 
all solutions of this equation to find the desired z of minimum weight and has a 
work factor of about O(n'). 

McEliece proposes in [9] to select randomly k of n ciphertext bits from e in the 
hope that none of the k selected bits are in error, and based on this assumption, to 
obtain the correct plaintext m. The probability p k of no error in the chosen fc-bits 
of e, however, is equal to 

Pk = VV- = nV - (3) 
(I) ~ n ~ l 

Selecting fc-bits, which are not in error, does not guarantee that the correspond- 
ing k x k sub-matrix of E is non-singular. This only holds for maximum distance 
separable codes (MDS, [8]). In case of an MDS code every k columns of the encryp- 
tion matrix are linearly independent. Since the Goppa codes used in the McEliece 
scheme are not MDS, we will have k linearly independent columns with a proba- 
bility qk > 0. This also holds for the encryption matrix E, since S works on the 
message space and P permutes the code words. Clearly, q k can not be estimated 
by assuming that E is a random matrix. 

The amount of work involved in solving k simultaneous equations in k unkown 
is k a (e.g. a — 2.8 [6]). Let V k be the average work factor if k columns are linearly 
dependent. Hence, before finding the message m with this attack one expects a 
work factor of 

W = 7 x [(1 - qk)V k + q k k a ] x q- k l x p, 1 . (4) 

We can use the Hamming distance to check whether the obtained message m is 
correct plaintext. If the result of the Hamming distance is: <Ih{s., WlE) < t, then 
rh is the original message m. The additional cost to validate each message m is 
therefore 0(nk). 

Adams and Meijer [1] established by exhaustive search that for values of 'a' 
between 2 and 3, the maximal work-factor (without validation, 7 = 1 and g* = l) is 
reached at i = 37. In this case for a = 3 the work- factor is approximately 2 84 " 1 , while 
for t — 50 this becomes 2 80 T . As a consequence of this improvement, the value of 
k is increased from 524 to 654; i.e. the information rate R = k/n is increased from 
0.51 to 0.64. 

4 Main Idea 

A straightforward approach is based on a brute force distance search as mentioned in 
the previous section. Despite the high work factor this approach has the advantage 
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that there are no additional validation costs, because the validation is part of the 
attack itself. As suggested by Hin [5], this attack can be improved by taking the 
constraints imposed by the cryptogram into account. For this reason we have to 
restate the above attack in terms of the cryptogram e instead of the message m. 

For the attack to be described in the next section we need a decomposition of 
the encryption matrix E in the following form 

E = SJIMJPj, (5) 

where I k is the k x k identity matrix and A a is a k x (n — k) binary matrix. Since 
every linear code is equivalent to a systematic code, this decomposition is always 
possible. 

If we apply a permutation matrix P a to e-mE + Zi then we obtain the relation 
eP a = QP a + zPa, (6) 
which will be denoted as e a = _c A + 

The function FKB(xX is defined as 

FKB(x) = FKB(xj,X2,... ,XkXk+j y ... ,x n ) = xi,X2>... ,x^. 

Hence, FKB(x) selects the first fc-bits from a n-bit vector x. 

We are now able to prove the next theorem. 

Theorem 1 IfPb is a permutation matrix for which e_= mE + z_can be written as 

S A Pj, =JTnS a S b [I k \A b } + z A Pb, 
then 

w H {FKB{ Za P h y\ = 0 <^ ddFKBfe^idllMbhe^b] < t (7) 
Proof. We have 

dHlmSaS^IklAbl^P,,} = w H \{z^P b )\ < t. 
From which it follows that 

d H [FKBle a P b _- z^lhlA,,},^} < t 

Uw H [FKB{z a Eby\ = 0, then it follows that d H [F«:B(e a Ffc)[/f e IA fc ],eJ > i] <_ t. On 
the other hand, if d A FKB A P b )[I k \A b ], e, A J < L then FA'B(eaPi)[/ fc l A b ) must be 
the codeword with whom e a P b corresponds to. Therefore the FKB(e A P b ) must be 
error-free, i.e. w H [FKB A P„)) = 0. 



a 
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Observe that this theorem describes McEliece attack (with validation) in a more 
general form. During the initial phase of the attack, k cryptogram bits are randomly 
selected (without replacement) from e. The k selected bits form the set A and the 
remaining (n — i)-bits are assigned to set B. Selecting fc new bits in the McEliece 
attack is replaced by a permutation Pj, which swaps at most k new bits from set B for 
fc-bits from set A. The permutation is only succesful if the corresponding columns of 
the encryption matrix E are linearly independent as has been mentioned in section 
3. The theorem states that the obtained solution is unique and gives the correct 
message m if the distance verification is positive. In the next section we will describe 
an attack based on this kind of bit swapping. 

5 One Bit Swapping Attack 

The McEliece attack can be considered as a fc-bit swapping attack. To obtain a low 
complexity and to determine in a fast way if a given permutation fulfils, we will 
present an algorithm for a one bit swapping procedure only. 

The algorithm for a one bit swapping attack consists of the following 5 steps. 

Step 1 - initialisation. 

Decompose the encipher matrix E, i.e. calculate a permutation matrix P a and a 
matrix A a such that E — S a [Ik\A a ]Pj . Set-up a pointer table: FOR i := 1 TO n 
DO Ptable[i] := i. 

Calculate e a — eP a and up-date the pointer table. 
Step 2 - checking. 

Check if it holds that dfj{FK B(e^)[I k \Aa\, e^) < t. This can be done by checking 
whether there are no more than t errors with respect to FKB(e a )A a . If there are t 
errors or less in the last (n — fc)-bits of e^, then proceed to step 5. 

Step 3 - swapping. 

The algorithm PRP produces a pseudo-random permutation Pb- The permutation 
Pi, swaps one column, say i, from the Ik part of the matrix [ifcl^a] f° r one column, 
say j, from the A a part. The swapping procedure is as follows. 

REPEAT 

Select permutation Pf, from PRP. 
IF column j has not an '1' as i-th entry 
THEN P h does not fulfil 
ELSE P h fulfils 

swap(Ptable[i], Ptable[j}); 
••= §^Pb 

FI; 

UNTIL P b fulfils. 
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Step 4 - up-dating. 

Compute [/ fc |j4 0 ]Pj into the form 5(,[/ fc |j4(,]. The new 'stripped' generator matrix 
will be denned as [Jfc|A 0 ] := [/^l-A;,]. Compute e,, := e^Pb- 
Proceed to step 2. 



Step 5 - calculate plaintext. 

At this stage there are no errors in FK5(e <1 ) and consequently FKB{z <1 ) is 0. The 
first k positions of the pointer table (Ptable) show locations in e without error. 
Select the corresponding columns of the encryption matrix E which are guaranteed 
linearly independent and calculate the plaintext m- 



6 Number of Swaps 

A ciphertext e is obtained by adding an error vector z with Hamming weight t 
to a permuted codeword c = mE. Therefore there are t 'disturbed' bits in the 
cryptogram e which differ from the permuted codeword bits in c. In the attack bits 
are repeatedly swapped in order to obtain fc non-disturbed ciphertext bits. During 
the initial phase of the attack, k cryptogram bits are randomly selected (without 
replacement) from e. The k selected bits form the set A — {e„} and the remaining 
(n — fc)-bits are assigned to set B = {e M }. The procedure swap(e v ,e^.), which swaps 
a bit from set A for a bit from set B, has one of the following values 

• 3 = 0 if a (non-)disturbed bit e„ is swapped for a (non-)disturbed bit e^, 

• a = — 1 if a disturbed bit e„ is swapped for a non-disturbed bit e M , 

• s — +1 if non-disturbed bit e„ is swapped for a disturbed bit e M . 

For the conditional probability Pr{i + s\i}, i.e. the probability that an event 
with i disturbed bits e„ in A is followed after a swap by an event with i + s disturbed 
bits e„ in A, we find 

? M> + .» =i, m. - no = ^ M. + m - fc^il (8 , 

If Ni = Ni(n,k,t) denotes the average work factor lor a state with i errors, then 
Ni^i follows from 

W-i = EE ( •) [Pr{ t -l| J -l}' +1 Pr{ I | l -ir-+ 

r ~° l ~° +Pr{i-l|i-l}'Pr{i|i-l} r - i+1 (iV i 4-2)] 

= Pr{i-l\i-l} + Pr{i\i-l}-(N i + 2) 

Pr{i-2\i-l} V ' 
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Table 1 The average number of swaps Nj for state i. 
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2 59.4 


253.3 


2 48.3 


2 43.9 


2 39.9 


2 36.3 


2 33.0 


2 30.0 


2 27.3 


2 24.7 



N(n, M) = E " J2(N, + j). (10) 

3 = 1 



The average number of random swaps (with replacement) N(n,k,t) depending on 
all the possible ( ) initial states is given by 

■ (i)fc') > 

7 Work factor 

Let Wi denotes the average work factor of step i. With a probability of approxi- 
mately one half (q^ ss |) a permutation is found in step 3 which can be used. The 
permutation Pj, can be generated and validated in a fast way and independent from 
the main algorithm. Steps 2 and 4 are only executed when a correct permutation 
P b is determined. Therefore we can neglect W 3 (14^0 in equation 4). Since steps 1 
and 5 are executed only once, we can neglect Wi and W$ in view of the on average 
N(n,k,t) repeated steps 2 and 4. Therefore the main algorithm has an average 
work factor 



W= {W 2 + W 4 ) x N{n,k,t). (11) 

M(j,i) is a notation for j simultaneous i-bit multiplications and similarly A(j, i) 
denotes j simultaneous i-bit additions. If simultaneous i-bit operations are left out 
of consideration, then e.g. M(j,i) becomes, with a little ambiguity, j'M(l,i) = 
jM(i). Moreover if only 1 bit operations are considered, then this notation reduces 
to M(j,i) = ji. 



For W 2 we find that 

W 2 = M{n-k,k), (12) 

{t + l)-M(k)<W 2 <{n-k)-M{k). (13) 
On average W 2 will be 2(f + 1) ■ M(k). (14) 
For W 4 we obtain 



W 4 = j4(Jfc-l,Ti-fc-l), 



(15) 
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A{n-k-l) < W 4 < (*-l) • A{n-k-l). (16) 

Jb-1 

On average W4 will be — - — ■ A(n — k — l). (17) 

In general the work factor (11) becomes 

W = [M(n-M) + i4(ife-l,n-Jfe-l)] x N{n,k,t). (18) 

If we use for example the average values (14) and (17) in (11), then we obtain the 
following work factor 

W = [2(t + l) -M(Jb) + ^ • A(n-fc-l)] x N{n,k,t). (19) 

This way we find for the overall average work factor (without parallelism etc.) 

W =y [4fc(<4-l) + k(n-k) - (n-1)] x N{n,k,t). (20) 

The maximum value of is approximately 2 76 8 for < = 39. The average number 
of swaps is in this case 2 59 ' 4 . 



8 Further Improvements 

At Eurocrypt'88, Lee and Brickell [7] presented a generalized attack on the McEliece 
scheme. Briefly, the attack is as follows: a set of fc-bits is selected at random from 
the cryptogram. The set is tested by an exhaustive search for an error pattern with 
no more than j errors. In case an error pattern is found with j or less errors, the 
algorithm stops, otherwise a new set of A:-bits is selected. For j = 0 the traditional 
attack is obtained and a brute force distance search for j — t. Lee and Brickell have 
found (with some assumptions) that the optimum j which minimizes the maximum 
work factor is 2 for all values of useful code parameters. 

8.1 Search for one correctable error 

Lee and Brickell propose in [7] a random update of only one bit instead of all the k- 
bits at the same time. This bit swapping is actually one of the basics of our method. 
From section 6 it follows that the last steps, i.e. removing the last j errors, domi- 
nate the work factor. An optimization procedure similar to the Lee-Brickell method 
is used to speed-up our attack. While in our case there is a trade- off between the 
swap-complexity and the complexity of the exhaustive search with checking, the 
optimum j which minimizes the maximum work factor is found to be 1. This low 
optimum is due to the low complexity of the swap-procedure, which is 0(k x (n— k)). 
For a single error pattern search a new step has to be added to the attack described 
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in section 5. If is the t-th unit vector, then the new step becomes 
Step 2a - search for one correctable error 

For 1 < i < k, check if it holds that d^FKB^ - u^I^A^,^) < t. This 
can be done by checking whether there are no more than f errors with respect to 
FKB{e a — Ui)A a . If for a certain i there are t or less errors in the last (n — fc)-bits 
of e,,, then correct bit Ptable[i] in e and proceed to step 5. 

For the average work factor W 2a for step 2a we find that 

W 2a = 2{t + l)k. (21) 

The maximum overall work factor W is approximately 2 711 for t = 39. The average 
number of swaps is in this case 2 53,4 . 

8.2 Partial search for two correctable errors 

Since the value of W 2a is small compared to [W 2 + W 4 ), a partial search for pat- 
terns with two errors can be considered additionally. The number of partial search 
patterns used in step 2b below is denoted by n,. 

Step 2b - partial search for two correctable errors 

Fori < i < k andi < j < k, check if it holds that d H (Fif i?(e^-u i -u. ) -)[/fe(.4 a ], e^) < 
t. This can be done by checking whether there are no more than t errors with re- 
spect to FKB(e^ — Ui— Uj)A a . If for certain i and j there are t or less errors in the 
last (n — fc)-bits of e^, then correct bit Ptable[i] and Ptable[j] in e and proceed to 
step 5. If = ri, then proceed to step 3. 

For the average work factor W 2 b for step 26 we find that 

W 2h = 2{t+l)-n,. (22) 

If we assume a uniform distribution of the error patterns, then the probability of 
succes follows from 

Pr{Succes Partial Searchji = 2} = n.f Q ( 23 ) 

The average work factor Ni for states 3 to t follows from equation 9. The average 
work factor N 2 for state i = 2 becomes 

N = Pr ^ 1 = 2li = 2 > + Pr {* = 3 '' = 2 > - + 2 ) (24) 
2 Pr{i = l\i = 2} + Pr{Succes Partial Search^ = 2} 1 ' 

The maximum overall work factor W is approximately 2 69,7 for t — 39 and n, — 5769. 
The average number of swaps is in this case 2 50 3 . 
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8.3 General Attack 

Let Pf, be a permutation matrix which swaps at most i-columns from the Ik part 
for i-columns in the A a part of the [Jfc|A 0 ] matrix. Let 5 be a subset of GF(2) 
with the property that the Hamming weight wh(s) of the vectors s £ 5 is less or 
equal than j. If all vectors s with Hamming weight equal to j are used during one 
search, then the attack is called complete otherwise partial. 

The general [i,j] — swap attack follows from 

1. initialisation 

• decompose encipher matrix: E 

• calculate = eP a 

• set-up pointer table 

2. checking 

• Check if there exists an s £ 5 such that d H [(FKB(e a ) — s)[Ik\A a ],e a ] < t. 
If there exists such an s E 5, then correct e with s using the pointer table 
and proceed to step 4. 

3. swapping 

• select a permutation Pi, which fulfils 

• Pf, swaps at most i-columns from the I k part for i-columns in the A a part 
of the [ifc|A„] matrix 

• Transform [/ fc |>l 0 ]Pfc into 5fc[/fc|j4j] 

• let [h\A a ] := [I k \A b ] and := a^Pb 

• up-date the pointer table and proceed to step 2 

4. calculate plaintext 

• the first k positions of the pointer table show locations in e without error 

• select the corresponding columns of the encryption matrix E which are 
guaranteed linearly independent 

• calculate the plaintext rri 

For a complete [i, j]-swap attack with i < j all search patterns s G 5 have to be used 
during the initial round. However for the subsequent rounds only the search patterns 
with (j — i) < tujj(s) < j have to be considered, since there are at least (j — i) errors 
after each i-swap. For a partial attack this becomes — < wn(s) < j. 



= S a [I k \A a ]Pl 
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9 Reduced Public-Key 

From the attack described in section 5 and the fact that the existence of more than 
one trapdoor in the system is unlikely [1], it follows that although a factorisation 
of E is found, no information about the original S, G and P matrices is revealed. 
For this reason a k x (n — k) matrix A of a decomposition of the encryption matrix 
E = SGP = S'[I k \A\P' can be published instead of E. Encryption can be done in 
the following way 

• Use a publicly known seed 3. The seed s generates a new non-singular binary 
matrix S* . The encryption scheme becomes 

e = mE + z = mS*[I k \A] + z = w{I k \A] + z. (25) 

• Use an publicly known invertible function / which transforms a message m £ 
GF(2) k into a word w £ GF(2) k . The function / may also depend on the 
error vector z. In this case the following encryption scheme is obtained 

e - mE + z = f(m,z).[I k \A] +z = w[I k \A] + z. (26) 

To keep the seed a, used to generate a non-singulier matrix S" , secret does not 
increase tfre security of the system. Since a chosen-plaintext attack by majority 
voting of each position of a row of the encipher matrix E will be successful and 
reveal [S^S*^!] and consequently S". 
In both cases it follows that 

• The sender generates an error vector z, computes w and calculates a cryp- 
togram e = ^[/fcl^] + z. 

• The receiver determines the error pattern z, removes it from e, computes 
w — FKB(e — c) and calculates the message m = wS*" 1 or m = / _1 (w, z). 

It follows that the public-key can be reduced to n x (rc-fc)-bits. For n = 1024 and 
t — 39 the reduced key becomes 399 kbits. 
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Abstract 

This paper describes a systematic procedure for decrypting simple substitu- 
tion ciphers with word divisions. The algorithm employs an exhaustive 
search in a large on-line dictionary for words that satisfy constraints on 
word length, letter position and letter multiplicity. The method does not 
rely on statistical or semantical properties of English, nor does it use any 
language-specific heuristics. The system is, in fact, language independent in 
the sense that it would work equally well over any language for which a suf- 
ficiently large dictionary exists on-line. To reduce the potentially high cost 
of locating all words that contain specified patterns, the dictionary is com- 
piled into a database from which groups of words that satisfy simple con- 
straints may be accessed simultaneously. The algorithm (using a relatively 
small dictionary of 19,000 entries) has been implemented in Franz Lisp on a 
Vax 11/780 computer running 4.3 BSD Unix. The system is frequently suc- 
cessful in a completely automated mode — preliminary testing indicates 
about a 60% success rate, usually in less than three minutes of CPU time. 
If it fails, there exist interactive facilities, permitting the user to guide the 
search manually, that perform very well with minor human intervention. 

1. Introduction 

Despite its relative insecurity compared to modern encryption techniques, 
the simple substitution cipher remains a classical problem that has defied reliable 
automated decryption. Human cryptanalysis of substitution ciphers is usually 
begun by obtaining a trial entry to the code, i.e. guessing the decodings one or 
more letters. The initial guesses may be based on a variety of simple techniques, 
such as n-gram frequencies, doubled letters or short word patterns. The partial 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 132-144, 1990. 
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decryption yielded by the entry may then be used deduce full words through 
visual recognition and by observing syntactic and semantic patterns. The 
guessed words, in turn, yield further letter decodings and the proeess is repeated 
until the entire is message is deciphered. Some of the automated systems have 
attempted to imitate this method. Carroll and Martin [CM86], for instance, have 
developed a microcomputer-based program which utilizes expert system metho- 
dology to capture the knowledge and heuristics that an experienced cryptanalyst 
might employ in both the entry and deduction phases. Schatz [S77] uses singular 
value decomposition of a cipher's digram matrix to obtain a prediction of a 
cryptogram's vowels. Using the vowels and some special clues (e.g. one-letter 
words and apostrophes) as an entry, Schatz's program performs a heuristic search 
for words guided by a small vocabulary and a database of rules which reflect sta- 
tistical properties of the English language. A very different method, proposed by 
Peleg and Rosenfeld [Peleg-Rosenfeld], employs a relaxation algorithm to deter- 
mine all of the plaintext letters in parallel by iteratively updating the joint pro- 
babilities for the decoding of each ciphertext letter, with respect to its two 
nearest neighbors. The above systems assume that the plaintext conforms to 
various statistical properties of English. For long cryptograms this is a reasonable 
assumption, however messages that are short in length or contain uncommon 
combinations of letters (e.g. acronyms), are particularly difficult, if not impossi- 
ble for such systems to solve. 

An exhaustive search that generates all 26! keys is a reliable, but clearly 
impractical decryption method. A more reasonable (but still exhaustive) approach 
is to conduct' the search at the word level, rather than at the letter level, using a 
large on-line dictionary. For each word in the ciphertext, the dictionary is 
searched for all of words that satisfy some known constraints. Since the cipher- 
text contains word divisions, word length is always a known constraint. Multiple 
occurrences of the same letter in the same word a second important pattern con- 
straint. If the dictionary is complete, then each plaintext word must appear 
somewhere in the corresponding list of constrained words. If we examine all possi- 
ble combinations from the constrained lists, the correct translation of the entire 
message must eventually appear. The search for the correct combination is con- 
ducted as a depth-first tree walk, in which each branch in the search tree 
corresponds to a guess for the decoding of a particular word in the ciphertext. 
Although the search space is initially very large, it is greatly reduced during the 
course of the search because each time a word is chosen as a possible decryption 
it imposes additional constraints upon other word that shares one or more of its 
letters. Hence, as a choices are made for each word, the set of possible choices for 
the other words becomes progressively smaller. Backtracking is performed when- 
ever there are remaining words for which the set of potential decryptions is 
empty. Hence, if the dictionary is complete, the search will eventually find a set 
of choices for the ciphertext words which mutually satisfy all known constraints. 
With high probability, this set of words is very close to the correct plaintext. 
Even if some plaintext words are not in the dictionary, the constraints imposed 
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by those that are may be sufficient to provide an unambiguous decryption that is 
apparent by visual inspection. Wall [W80] describes such a procedure, but claims 
it is feasible only if special purpose hardware (a content addressable memory) is 
used to support parallel lookup of words from the dictionary. Wall actually 
implemented this method, simulating the parallel hardware via APL vector 
operations and excluding lookup time from the performance analysis. Our 
approach is much the same as Wall's, but with the following improvements: 

1) no special hardware is required; instead the dictionary is compiled into a 
database designed to facilitate efficient lookup; 

2) a control strategy is employed to guide the search toward promising paths; 

3) the use of letter multiplicity (i.e. multiple occurrences of the same letter in 
the same word) as a constraint results in a much smaller search space; 

4) certain guesses for words are recognized as yielding inconsistencies, and 
hence immediately rejected instead of being propagated further in the 
search. 

2. The Database 

Our system is based on an exhaustive search for pattern words in a diction- 
ary of over 19,000 entries. The word search entails determining the set of words 
in the dictionary that satisfy specified constraints on word length, letter position 
and letter multiplicity. An example of such a pattern is the set all words with 
six letters having e in position 2 and w in position 5. A more complicated exam- 
ple is the set of all eight letter words ending in t in which the same letter occurs 
in positions 1, 5 and 7. Extracting such information by repeatedly scanning the 
dictionary for pattern matches would be "unpractically slow. Instead, the diction- 
ary is compiled into a database that is partitioned according letter, word length 
and letter position. Associated with each letter in the alphabet is a list of num- 
bered properties 1, 2,...m, where m is the maximum length of any word in the 
dictionary. The value of each property j is a vector Vy, indexed from 1 to j. If 
we want to find all words of length n containing the letter / in position i, we 
look on the property list of I and access the «th element of the vector found on 
property n. For instance, all 10 letter words containing r in position 6 are found 
by looking in the sixth entry of the vector found in property 10 on the property 
list of r. For simplicity, the database may also be viewed as a three dimensional 
array D, indexed by word length, letter and letter position, in which the entries 
are lists of words. For parameters i, j and k, an entry D{i,j,k) would contain 
the list of all words of length t in which letter j occurs in position k. Words 
satisfying more complicated patterns are found by computing the union and 
intersection of one-letter patterns. The intersection of D(9,6,4) and D(9,u>,7), for 
example, would be the set of all 9 letter words containing b in position 4 and w 
in position 7. To get all 6 letter words containing the same letter in positions 5 
and 6, we take the union of all words having letter I in positions 5 and 6. where / 
ranges from a thru z. 
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The dictionary is compiled in a Franz Lisp session, separate from the execu- 
tion of the decryption program. The resulting Lisp image may then be stored on 
disk to permit fast loading of the system. The Lisp image, including the data- 
base of approximately 19,700 words, occupies about 2.9 megabytes of disk space. 

3. The Search Technique 

Viewing a cipher as a list of words [w Q , w,, ... , w n ], our decryption process 

amounts to a state-space search in which each state T,- is a pair P, is a 

list [PiojPijj."??;,] where each p,- is itself a list containing all possible decryptions 

for word Wj in the ciphertext. 5,- is a the current substitution list, i.e. a list of 

pairs of letters ([C' 1 ,rf 1 ], [C 2 ,d 2 },—,[C m ,d m ]) indicating that letter d k is currently 

assumed to be the decoding of the ciphertext letter C k . Each node in the search 

tree represents a modified state which reflects the constraints imposed by a new 

guess for some ciphertext word. At the root node T 0 , S 0 is empty and P 0 is 

obtained by searching the dictionary for the possible decryptions of each word, 

subject to the constraints of word length and multiple occurrences in a word of 

the same letter. For example, consider the following cryptogram taken from The 
Dallas Morning News: 

MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 

Possible decryptions of the first ciphertext word are words that satisfy the pat- 
tern MZDDTK, i.e. all six-letter words having the same letter in positions 3 and 

4. In this case, the word search routine returns a list of 320 words, 
[babble, bobbin,. ..,sizzle]. The same procedure is then repeated for each word in 
the ciphertext. Table 1 summarizes these initial possibilities. 



Word 


Ciphertext 


Possible Decryptions 


# Possibilities 










w 0 


MZDDTK 




babble, ...,sizzle] 


320 


w l 


CJQLAPZZ 




absentee,...,megawatt] 


90 


w 2 


DKDM 


[afar,..., vivo] 


39 


w 3 


CJQLNZPQ 


[academia,...,bayberry] 


130 


w 4 


TZJKDA 


? 


? 


w 5 


MPQBPQB 




alfalfa] 


1 


w % 


TNT 


ala,...,wow] 


28 


W-j 


MNQBM 


[aloha,. .., widow] 


93 



Table 1. Initial possible decryptions of ciphertext words 
The entries for the word TZJKDA are left blank because it has no multiple 
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occurrences of any letter. Its possible decipherments (all six-letter words) are so 
numerous (2,850 words) that it is best to postpone evaluation of this word, as 
will be discussed later. 



Word 


Ciphertext 


Possible Decryptions 


# Possibilities 










w 0 


MZDDTK 


cobble,. ..,sizzle 


246 


w 1 


CJQLAPZZ 


[divorcee, ... ,kilowatt] 


32 


w 2 


DKDM 


[afar,..., vivo] 


32 


w 3 


CJQLNZPQ 


[charisma,. .., petulant 


42 


w A 


TZJKDA 


? 


? 


w s 


MPQBPQB 




0 




TNT 


[ala,...,wow 


28 




MNQBM 


[aloha,..., widow 


79 



Table 2. Reduced possible decryptions of ciphertext words 

The size of these initial lists of possibilities may be reduced considerably by 
removing inconsistent words, i.e. words that imply an ambiguous decryption key. 
For instance, babble is inconsistent with MZDDTK because it implies that both M 
and D translate to 6. (In Wall's algorithm, such inconsistencies are not recog- 
nized.) Table 2 displays the reduced possibility lists in which inconsistent words 
have been extracted. Note that MPQBPQB has no possible decryption, i.e. the 
plaintext for the word doesn't appear in the dictionary. 

The initial state of the search at the root node of the search tree is T Q = 
[P 0 ,S 0 ], where 5 0 is an empty list and P 0 corresponds to the lists of possible 
decryptions in Table 2. For instance, p 0o is the list of candidate decryptions for 
the first word, i.e. p 0o = [cobble,...,sizzle]. Similarly, p 0[ = [divorcee,... , kilowatt], 
Po 2 = [afar,..., vivo], ... , p 0? = [aloha,. ..,widow]. Each descendant node in the 
tree may be viewed as a guess for some word in the ciphertext. To expand the 
root node, a particular word is chosen from some p 0l - as a trial decryption of w 0 - 
The successor state is T x = [P^SJ. where is list of letter substitutions 
implied by the choice and P x is equal to [P li ,...,P 1( _ i) ,P 1(i+i) ,...,P l7 ], where each 
P x is the subset of P 0j whose words do not violate the new constraints imposed 
by Sy. (Note that P 1 does not contain the possible decryptions for since w,- 
is the word for which a guess is being made.) If divorcee is selected as trial 
decryption of w l , for example, then S 1 = 

l(C,d),{J,i),{Q,v),{L,o),(A,r),{?,c),{Z,e)} . Each P lf is now filtered to remove 
words which conflict with 5 X . The filter succeeds in two ways. In one case, 
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words are discarded because the same ciphertext letter has two decryptions, e.g. 
charisma is dismissed as a possible decryption for ws (CJQLNZPQ) because the 
implied decoding (C,c) conflicts with the assumption from Sj that C decodes to 
d. The second way that filtering works is to eject words that require two dif- 
ferent ciphertext letters to decode to the same plaintext. For example, cobble is 
no longer a possible decryption of w; because the required substitution of c for 
M conflicts with the constraint (P,c) in 5j. The new constraints also provide 
additional information about w 4 (TZJKDA), the word which had not been previ- 
ously evaluated. Under the constraints (Z,e) and (D,c), the possible decryptions 
for for TZJKDA is now the set of all six-letter words containing e in position 2 
and c in position 5. The result is a list of 21 words [deduce,. ..,select] (all of which 
get filtered out). If we had evaluated w 4 earlier, we would have to filter the 
entire list of 2,850 six-letter words in the dictionary. 

The search space is greatly reduced by the seven constraints of 5 V as indi- 
cated in Table 3 which corresponds to P v 



Word 


Ciphertext 


Possible Decryptions 


# Possibilities 












MZDDTK 


[bellum] 


1 




DDTK 


[alan,...,sash] 


4 


w 3 


CJQLNZPQ 




0 


W4 


TZJKDA 




0 


<OS 


MPQBPQB 




0 


w 5 


TNT 


[ala,...,tat] 


8 


W7 


MNQBM 




0 



Table 3. Possible decryptions at state 7\ = [P A SJ 
with wi decoded as CJQLAPZZ = divorcee 

The node corresponding to state 7A may now be expanded by choosing among 
the 13 possible decodings for the w 0 , w 2 an<A w &- A bellum is chosen for w 0 , the 
resulting additional constraints in state T 2 filter out all of the remaining possibil- 
ities for u; 2 and w 6 , so we have reached a dead end in the search. 

When a dead end is encountered, the trial plaintext under the current set of 
constraints is evaluated to decide whether or not the constraints yield a likely 
decryption of the ciphertext. The main criterion considered by the evaluation 
routine is the number of words in the ciphertext which are completely deter- 
mined. The evaluation function awards points to any completed word, whether 
or not its decipherment is in the dictionary ~ the mere fact that all of the letters 
can be unambiguously decoded is a positive sign. Greater weight, of course, is 
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given to words found in the dictionary and longer words are assigned more points 
than shorter ones. Extra credit is given to completed words that were not among 
those selected for expansion, i.e. words that were filled in as a result of other 
selections. If the score returned by the evaluation function is sufficiently high 
and is equal to or greater than the previous highest score, the current state is 
considered to be a possible solution and the trial plaintext is displayed to the 
user. In any case, the search continues by backtracking to the previous node and 
re-expanding with a new word choice. 

In the present example, the constraints derived from the first selected word 
are sufficient to shrink the search space to a manageable level after the expansion 
of only one node — fortunately the selected word provides sufficient constraints. 
This is not always the case, however. For instance, if we had selected ala as a 
decryption for w 6 (TNT) at state T„ (instead of divorcee for Wj), P x would con- 
tain far more possibilities, as shown in Table 4. Here the number of combinations 
of remaining possible decryptions is 3,456 (6x 6x 16x 6) rather than 32 (4x 8) as 
in Table 3. 



Word 


Ciphertext 


Possible Decryptions 


# Possibilities 










w 0 


MZDDTK 


[giddap,...,hurray] 


6 


w x 


CJQLAPZZ 


[divorcee,. . . ,princess] 


6 


Wj 


DKDM 


[divacee,...,pinoess] 


]6 


w 3 


CJQLNZPQ 


[preclude] 


1 


w 4 


TZJKDA 




0 




MPQBPQB 




0 


W7 


MNQBM 


[elide,. ...plump] 


6 



Table 4. Possible decryptions at state T] = [P^S^ 
with WQ decoded as TNT = ala. 

The striking contrast is due, of course, to the difference in the number of con- 
straints imposed by the two choices. Word w x has 7 distinct letters, yielding 7 
constraints, as opposed to only 2 constraints produced by the 2 distinct letters in 
w 6 . Short words (i.e. words with less than 5 letters) hence pose a problem for our 
algorithm. Not only do they fail to provide the desired constraints on other 
words, they also are less likely to be filtered out themselves because there are 
fewer possibilities for letter conflicts. If there are several unresolved short words, 
the combinatorics involved in checking all possible combinations rapidly gets out 
of hand. Since most cryptograms contain a high percentage of such words, the 
full tree may be extremely bushy and a complete traversal usually cannot be 
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executed in a reasonable amount of time. It is therefore advisable that the traver- 
sal be directed toward cheap, promising paths and steered away from expensive, 
dubious ones, so that a satisfactory solution may be displayed to the user at a 
relatively early stage of the search. Fortunately, it is usually possible to achieve 
this goal if we are careful in the selection of nodes to be expanded. 

To deal with the short word problem, the ciphertext is separated into two 
groups. Group A contains the longer words in the message, i.e. words of six or 
more letters, while group B contains the rest. (If there are not three or more long 
words in the message, the definition of "long" is dynamically redefined so that 
there are at least three.) No words from group B are considered for expansion 
until all of the words in group A have been either been expanded or have no 
remaining possible decryptions. By examining longer words first we hope that 
the search space will already be somewhat constrained before the short words are 
processed. When only words from group B remain, the current state is evaluated 
and a decision is made whether to continue on the current path or to backtrack. 
The node is expanded only if there is some evidence that the current path looks 
promising or if the cost of expansion is relatively small. The primary measure 
for evaluating the promise of a path is the number of completely deciphered 
words which are also found in the dictionary, particularly words that were not 
chosen as guesses. A secondary measure is the number of letters remaining to be 
deciphered — the fewer the better. If a path is not found to be promising by the 
above criteria, the next node may still be expanded if it can be done cheaply, i.e. 
if the number of successors is small and the tree is already of sufficient depth. 

Another useful heuristic for optimizing the search is Wall's suggestion that 
the most constrained word, i.e. the word with the fewest number of possible 
decryptions, should be expanded first. If a word found in the dictionary happens 
to be highly constrained at the root node, expanding it right away will almost 
always yield a speedy correct decryption because the search converges very fast 
once the right path is found. (This rule should be subordinate to the short word 
heuristics, however — a short word should not be expanded prior to a long one 
even if it is more constrained.) 

The workings of the search may be illustrated by completing the decryption 
of our example. (An abbreviated trace of the search is found in the appendix.) 
The words in group A are w 0 , w x , w 3 , w 4 and w 5 . In the initial state (Table 2) 
the most constrained long word is w v with 32 possibilities, hence CJQLAPZZ is 
chosen to be expanded first. From its list of possible decryptions, kilowatt is 
selected as the first trial word. Since there are no possible decryptions for any of 
the other long words under the new constraints, this choice is rejected and the 
search immediately backtracks and the word waitress is tried. This choice is 
rejected for the same reason, as are the next 10 choices for w^. The first trial 
guess for that is considered promising is buckaroo. This path is considered 
worthy to pursue because it allows another long word (w 0 ) to be deciphered into 
a word appearing in the dictionary, namely sodden. After sodden is selected to 
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expand w 0 , the state is considered promising enough to warrant expansion of a 
short word, so eye is chosen for TNT. At this point a dead end is reached. Since 
there has been no previous solution offered, the current decryption is the best 
available so far, hence it is displayed to the user as: 

sodden buckaroo dnds buckyorc eounda src-rc- eye syc-s 
HZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT HNQBH 

As shown in the appendix, the search now backtracks to sodden and selects ewe 
for TNT. This yields a solution which appears equally good as the first, so it too 
is displayed. After 13 possible solutions involving buckaroo are discovered, the 
search backtracks to top level and other choices are tried for w v Several other 
paths are explored, but the depth of the search never exceeds 2. Eventually 
mandrill is selected for w x , which happens to be the correct decryption. This 
leads immediately to mandolin for w 3 . The only word that now satisfies the con- 
straints for w 4 is slater (player is not in the dictionary). This path terminates in 
the solution 

-leest mandrill ete- mandolin slater -in-in- sos -on-- 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 

which is still very obscure. Backtracking to the mandolin level, sleety is now 
tried for w 0 , yielding the somewhat intelligible 

sleety mandrill eyes mandolin tlayer sin-in- tot son-s 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 

The next choice for w 0 is sleepy which yields the correct answer 

sleepy mandrill eyes mandolin player sin-in- pop son-s 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 

The full plaintext is obvious by inspection, however there is no way for the sys- 
tem to determine that B decodes to g because neither singing nor songs is in the 
dictionary and only these words contain g. (Since player is not in the dictionary, 
the score of 4100 is no better than the score of the previous decryption.) 

4. Interactive Mode 

When the system fails in the fully automated mode, a backup interactive 
mode is provided through which the user may analyze the cipher and supply 
his/her own guesses for letters. Commands exist which permit the user to 
display first order statistics, to add and delete guesses for letters, and to simul- 
taneously display the message and its partial decryption. With some guesses for 
letters, the automated search may then be repeated, this time guided by the 
user-supplied constraints. In many cases where the automated system fails, a suc- 
cessful decryption is achieved via correct guesses for only one or two letters. 
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5. Extensions 

The current system might be improved in a variety of ways that have yet to 
be attempted. An ability to recognize plural, prefixed and suffixed forms as 
words, for instance, would take care of the majority of examples that the present 
system can't handle automatically. Whether these forms should be added to the 
dictionary (at the cost of a significantly larger search space) or detected by a 
separate routine is under investigation. A second desirable extension would be to 
integrate the various heuristics and statistical approaches found in [S77], [PR79], 
[CM86], [A84] and [A86]. The information obtained from the statistical analyses 
might be valuable both in guiding the automated search as well as aiding the 
interactive user. Finally, an moderate improvement in performance would 
almost certainly result from a careful editing of the dictionary, which currently 
contains a many extremely rare words and omits many common ones. It would 
also be desirable to order the words in the database, so that more frequently used 
words are considered first. These tedious tasks have not yet been undertaken. 

6. Performance 

The system has been implemented in Franz Lisp on a Vax 11/780 computer. 
In tests on more than 100 examples chosen at random from newspapers and 
magazines, the system was successful in a completely automated mode about 
60% of the time. Usually the solution was obtained in less than three minutes of 
CPU time. In approximately 30% of the trials, the program required rather 
trivial human intervention, such as the guessing of a common short word such as 
the or and. Failure most commonly occurred on examples in which none of the 
longer words in the plaintext were present in the dictionary. This situation 
occurs, for instance, when all of the long words are plurals or suffixed, since these 
forms are not likely to be found in our limited dictionary. When this happens, 
the system is forced to use small words as trial entries, thereby establishing few 
constraints and hence greatly expanding the search space. The second most com- 
mon cause of failure was that none of the words in the plaintext contained any 
repeated letters. In this case, the program is unable to proceed (unless there are 
some one-letter words) because there are no entry candidates. This situation is 
most likely to arise in very short messages or in examples composed mostly of 
short words. 

7. Conclusions 

We have described an automated method for decrypting simple substitution 
ciphers based on exhaustive search and controlled thru constraints imposed by 
word patterns. No statistical analyses or language-specific heuristics are 
employed. Although quite successful in its own right, we believe that the tech- 
nique could be used as a driver to an even more powerful system in which heuris- 
tics and statistical information would assist in directing the search. This hybrid 
approach would exploit the somewhat unstructured methods of the human 
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cryptanalyst while retaining the systematic character of the exhaustive search 
that enables successful automation. 
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Appendix 

Program Execution with Trace of Word Search 

The current depth of the search tree is indicated by the number on the left. The 
ciphertext of the word currently being examined is denoted in upper case, while 
the trial decryption for the word is in lower case. (A portion of the trace has 
been omitted to save space.) 



MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 

0 CJQLAPZZ kilowatt 
0 CJQLAPZZ waitress 
0 CJQLAPZZ ruthless 



[PR79] 

[S77] 
[W80] 
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o 


C JQLAP Z Z 


prince 


s 


s 


o 


CJQLAPZZ 


m a r C[ U 6 


s 




U 




^ idnt g 


s 


s 


0 


CJQLAPZZ 


dutche 


s 


3 


0 


CJQLAPZZ 


c on g r e 


3 


3 


0 


CJQLAPZZ 


c omp r e 


3 


S 


0 


CJQLAPZZ 


b a r on e 


S 


s 


0 


CJQLAPZZ 


buc ka r 


o 


o 


I 


1 MZDDTK 


sodden 







I I 2 TNT eye 



*** — Solution #1 

Score = 3100 
sodden buckaroo dnds 
MZDDTK CJQLAPZZ DKDM 



buckyorc eounda src-rc- eye syc-s 
CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



I I 2 TNT ewe 



*** — Solution #2 

Score = 3 10 0 
sodden buckaroo dnds 
MZDDTK CJQLAPZZ DKDM 



bu c kwor c 
CJQLNZPQ 



eounda 
TZJKDA 



src-rc- 
MPQBPQB 



ewe 
TNT 



s w c - s 
MNQBM 



I I 2 TNT eve 



*** — Solution #3 

Score = 3100 
sodden buckaroo dnds 
MZDDTK CJQLAPZZ DKDM 



bu c kv o r c 
CJQLNZPQ 



eounda 
TZJKDA 



src-rc- 
MPQBPQB 



eve 

TNT 



S V c - s 
MNQBM 



MZDDTK 
MZDDTK 
MZDDTK 
MZDDTK 
MZDDTK 



toddle 
soffit 
joggle 
toggle 
po lien 



2 TNT eye 



*#* — Solution #4 
Score = 3100 



pollen buckaroo lnlp buckyorc eounla prc-rc- eye pyc-p 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



{ To save space, the next 15 trial solutions are omitted } 



0 CJQLAPZZ nutshell 

1 1 MZDDTK bloody 
I I 2 TNT did 
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»** -- Solution #20 
Score = 3 10 0 

bloody nutshell oyob nutsilet dluyoh bet-et- did bit-b 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



I I 2 TNT dad 



*»» -- Solution #21 
Score = 3100 

bloody nutshell oyob nutsalet dluyoh bet-et- dad bat-b 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



I 1 MZDDTK gloomy 

0 CJQLAPZZ mandrill 

1 1 CJQLNZPQ mandolin 
I I 2 TZJKDA slater 

*** -- Solution #22 
Score = 3100 

-leest mandrill ete- mandolin slater -in-in- sos -on — 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



I I 2 MZDDTK sleety 



*** -- Solution #23 
Score = 4 10 0 

sleety mandrill eyes mandolin tlayer sin-in- tot son-s 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 



I I 2 MZDDTK sleepy 

*** -- Solution #24 
Score = 4100 

sleepy mandrill eyes mandolin player sin-in- pop son-s 
MZDDTK CJQLAPZZ DKDM CJQLNZPQ TZJKDA MPQBPQB TNT MNQBM 
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ABSTRACT - Pseudorandom generators (suggested and developed by Blum and Micali and 
Yao) are efficient deterministic programs that expand a randomly selected k -bit seed into a much 
longer pseudorandom bit sequence which is indistinguishable in polynomial time from an 
(equally long) sequence of unbiased coin tosses. Pseudorandom generators are known to exist 
assuming the existence of functions that cannot be efficiently inverted on the distributions 
induced by applying the function iteratively polynomially many times. This sufficient condition 
is also a necessary one, but it seems difficult to check whether particular functions, assumed to be 
one-way, are also one-way on their iterates. This raises the fundamental question whether the 
mere existence of one-way functions suffices for the construction of pseudorandom generators. 

In this paper we present progress towards resolving this question. We consider regular 
functions, in which every image of a k -bit string has the same number of preimages of length k . 
We show that if a regular function is one-way then pseudorandom generators do exist. In particu- 
lar, assuming the intractability of general factoring, we can now prove that pseudorandom genera- 
tors do exist. Other applications are the construction of pseudorandom generators based on the 
conjectured intractability of decoding random linear codes, and on the assumed average case dif- 
ficulty of combinatorial problems as subset-sum. 



1. INTRODUCTION 

In recent years randomness has become a central notion in the theory of computa- 
tion. It is heavily used in the design of sequential, parallel and distributed algorithms, 
and is of course crucial to cryptography. Once so frequendy used, randomness itself has 
become a resource, and economizing on the amount of randomness required for an appli- 
cation has become a natural concern. It is in this light that the notion of pseudorandom 
generators was first suggested and the following fundamental result was derived: the 
number of coin tosses used in any practical application (modeled by a polynomial time 
computation) can be decreased to an arbitrarily small power of the input length. 

The key to the above informal statement is the notion of a pseudorandom generator 
suggested and developed by Blum and Micali [BM] and Yao [Y]. A pseudorandom gen- 
erator is a deterministic polynomial time algorithm which expands short seeds into 
longer bit sequences, such that the output ensemble is polynomially-indistinguishable 
from the uniform probability distribution. More specifically, the generator (denoted G) 
expands a A -bit seed into a longer, say 2/: -bit, sequence so that for every polynomial time 

Research done while the third author was visiting the Computer Science Department of the Technion. First 
author was supported by grant No. 86-00301 from the United States - Israel Binational Science Foundation 
(BSF), Jerusalem, Israel. Third author was partially supported by a Natural Sciences and Engineering 
Research Council of Canada operating grant No. A8092 and by a University of Toronto grant. 

S. Goldwasser(Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 146-162, 1990. 
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algorithm (distinguishing test) T, any constant c>0, and sufficiently large k 



\ Prob\T(G(X k )) = l\ -Prob{T(X 2k )=l\ I < , 



where X m is a random variable assuming as values strings of length m , with uniform pro- 
bability distribution. It follows that the strings output by a pseudorandom generator G 
can substitute the unbiased coin tosses used by any polynomial time algorithm A , without 
changing the behavior of algorithm A in any noticeable fashion. This yields an 
equivalent polynomial time algorithm, A', which randomly selects a seed, uses G to 
expand it to the desired amount, and then runs A using the output of the generator as the 
random source required by A . The theory of pseudorandomness was further developed to 
deal with function generators and permutation generators and additional important appli- 
cations to cryptography have emerged [GGM, LR]. The existence of such seemingly 
stronger generators was reduced to the existence of pseudorandom (string) generators. 

In light of their practical and theoretical value, constructing pseudorandom genera- 
tors and investigating the possibility of such constructions is of major importance. A 
necessary condition for the existence of pseudorandom generators is the existence of 
one-way functions (since the generator itself constitutes a one-way function). However, 
it is not known whether this necessary condition is sufficient. Instead, stronger versions 
of the one-wayness condition were shown to be sufficient. Before reviewing these 
results, let us recall the definition of a one-way function. 

Definition 1: A function / : {0,1 }* -»{0,1 }* is called one-way if it is polynomial time com- 
putable, but not "polynomial time invertible". Namely, there exists a constant c >0 such 
that for any probabilistic polynomial time algorithm A , and sufficiently large k 



where the probability is taken over all x 's of length k and the internal coin tosses of A , 
with uniform probability distribution. 

(Remark: The role of 1* in the above definition is to allow algorithm A to run for time 
polynomial in the length of the preimage it is supposed to find. Otherwise, any function 
which shrinks the input by more than a polynomial amount would be considered one- 
way.) 

1.1. Previous Results 

The first pseudorandom generator was constructed and proved valid, by Blum and 
Micali, under the assumption that the discrete logarithm problem is intractable on a non- 
negligible fraction of the instances [BM]. In other words, it was assumed that exponen- 
tiation modulo a prime (i.e. the 1-1 mapping of the triple (p,g,x) to the triple 
(p,g,g x mod p ), where p is prime and g is a primitive element in Z* ) is one-way. Assum- 
ing the intractability of factoring integers of the form N =pq, where p and q are primes 
and p =q =3mod4, a simple pseudorandom generator exists [BBS, ACGS] (1) . Under this 



Prob\A(f(x),l k ) 4 f- ] (f(x))\ >k^, (*) 



148 



assumption the permutation, defined over the quadratic residues by modular squaring, is 
one-way. 

Yao has presented a much more general condition which suffices for the existence 
of pseudorandom generators; namely, the existence of one-way permutations [Y] (2) . 

Levin has weakened Yao's condition, presenting a necessary and sufficient condi- 
tion for the existence of pseudorandom generators [LJ. Levin's condition, hereafter 
referred to as one-way on iterates, can be derived from Definition 1 by substituting the 
following line instead of line (*) 

> *T\ 



(Vi,l<i <k c+2 ) Prob[A(f^(.x),l k ) 4 r l (f (i) (x)) 

where f^\x) denotes / iteratively applied i times on x. (As before the probability is 
taken uniformly over all x's of length k.) Clearly, any one-way permutation is one-way 
on its iterates. It is also easy to use any pseudorandom generator in order to construct a 
function which satisfies Levin's condition. 

Levin's condition for the construction of pseudorandom generators is somewhat 
cumbersome. In particular, it seems hard to test the plausibility of the assumption that a 
particular function is one-way on its iterates. Furthermore, it is an open question whether 
Levin's condition is equivalent to the mere existence of one-way functions. 

1.2. Our Results 

In this paper we present progress towards resolving the above open problem. We 
consider "regular" functions, in which every element in the range has the same number of 
preimages. More formally, we use the following definition. 

Definition 2: A function / is called regular if there is a function m( ) such that for every 
n and for every x e {0,1}" the cardinality of /"'(/CO) n {0.1}" ism(«). 
Clearly, every 1-1 function is regular (with m(n) = 1, Vn). Our main result is 



Main Theorem: If there exists a regular one-way function then there exists a pseudoran- 
dom generator. 



A special case of interest is of 1-1 one-way functions. The sufficiency of these 
functions for constructing pseudorandom generators does not follow from previous 
works. In particular, Yao's result concerning one-way permutations does not extend to 
1-1 one-way functions. 

1) A slightly more general result, concerning integers with all prime divisors congruent to 3 mod 4, also holds 
[CGG]. 

2) In fact, Yao's condition is slightly more general. He requires that/ is 1-1 and that there exists a probabil- 
ity ensemble IT which is invariant under the application of / and that inverting / is "hard on the average" 
when the input is chosen according to II. 
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Regularity appears to be a simpler condition than the intractability of inverting on 
the function's iterates. Furthermore, many natural functions (e.g. squaring modulo an 
integer) are regular and thus, using our result, a pseudorandom generator can be con- 
structed assuming that any of these functions is one-way. In particular, if factoring is 
weakly intractable (i.e. every polynomial time factoring algorithm fails on a non- 
negligible fraction of the integers) then pseudorandom generators do exist. This result 
was not known before. (It was only known that the intractability of factoring a special 
subset of the integers implies the existence of a pseudorandom generator.) Using our 
results, we can construct pseudorandom generators based on the (widely believed) con- 
jecture that decoding random linear codes is intractable, and on the assumed average case 
difficulty of combinatorial problems as subset- sum. 

The main theorem is proved essentially by transforming any given regular one-way 
function into a function that is one-way on its iterates (and then applying Levin's result 



It is interesting to note that not every (regular) one-way function is "one-way on its 
iterates". To emphasis this point, we show (in Appendix A) that from a (regular) one- 
way function we can construct a (regular) one-way function which is easy to invert on the 
distribution obtained by applying the function twice. The novelity of this work is in 
presenting a direct way to construct a function which is one-way on its iterates from any 
regular one-way function (which is not necessarily one-way on its iterates). 

1.3. Subsequent Results 

Recent results of Impagliazzo, Levin and Luby extend our results in two directions 
[ILL]. First, they generalize the regularity condition deriving a necessary and sufficient 
condition for the existence of pseudorandom generators. The new condition requires that 
the function / is one-way on a distribution induced by a function h , while the distribu- 
tion induced by./o/i has almost the same entropy as the distribution induced by h. 
Second, they show that using non-uniform definitions of one-way functions and pseu- 
dorandom generator, yields their equivalence. 

2. MAIN RESULT 

2.0. Preliminaries 

In the sequel we make use of the following definition of strongly one-way function. 
(When referring to Definition 1 , we shall call the function weak one-way or simply one- 
way). 

Definition 3: A polynomial time computable function / : {0,1 }*— »{0,1 }* is called 
strongly one-way if for any probabilistic polynomial time algorithm A , any positive con- 
stant c , and sufficiently large k , 



[L]). 
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where the probability is taken over all x 's of length k and the internal coin tosses of A , 
with uniform probability distribution. 

Theorem (Yao [Y]): There exists a strong one-way function if and only if there exists a 
(weak) one-way function. Furthermore, given a one-way function, a strong one can be 
constructed. 

It is important to note that Yao's construction preserves the regularity of the func- 
tion. Thus, we may assume without loss of generality, that we are given a function / 
which is strongly one-way and regular. 

For the sake of simplicity, we assume / is length preserving (i.e. Vx ,\f(x) \ = \x I). 
Our results hold also without this assumption (see subsection 2.6). 

Notation: For a finite set S, the notation s € R S means that the element s is randomly 
selected from the set S with uniform probability distribution. 

2.1. Levin's Criterion: A Modified Version 

The proof of the Main Theorem relies on the transformation of a function which is 
one-way and regular into a function which satisfies a variant of Levin's condition (i.e., 
being one-way on iterates). The modified condition, relating to functions which leave the 
first part of their argument unchanged, requires that the function is one-way on a number 
of iterates which exceeds the length of the second part of its argument. (Levin has 
required that the function is one-way on a number of iterations exceeding the length of 
the entire argument.) A precise statement can be found in Lemma 1 bellow. Before prov- 
ing the sufficiency of the modified condition for constructing pseudorandom generators, 
we recall the basic ideas behind Levin's condition. 

Levin's condition is motivated by Blum-Micali scheme for the construction of pseu- 
dorandom generators [BM]. This scheme uses two basic elements. The first, a (strongly) 
one-way function / , and the second, a boolean predicate b (•) called a "hard-core" of the 
function / . (Roughly speaking, a Boolean function b (•) is a hard-core predicate of f , if 
it is polynomial time computable, but no polynomial time probabilistic algorithm given 
f(x), for randomly selected x, can compute the value of b(x) with a probability signifi- 
cantly better than 1/2). A pseudorandom generator G is constructed in the following 
way. On input x (the seed), the generator G applies iteratively the one-way function / (■) 

on x for t (= poly(\x I)) times (i.e. f{x),f {2 \x) ,f ( '\x)). In each application of/, the 

predicate bif^Xx)) is computed and the resultant bit is output by the generator. That is, G 
outputs a string of length r. Blum and Micali show that the above sequence of bits is 
unpredictable when presented in reverse order (i.e. b(f ( '\x)) first and b(f m (x)) last), pro- 
vided that the boolean function b (■) is a hard-core predicate on the distribution induced 
by the iterates / (,) ,0<( <t. The unpredictability of the sequence is proved by showing 
that an algorithm which succeeds to predict the next bit of the sequence with probability 
better than one half can be transformed into an algorithm for "breaking" the hard-core of 
the function /. Finally applying Yao's Theorem [Y] that unpredictable sequences are 
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pseudorandom we get that the above G is indeed a pseudorandom generator. 

The hard part of the proof of Levin's Theorem (namely, that the existence of a func- 
tion / being one-way on iterates implies the existence of pseudorandom generators) is in 
showing that the existence of a one-way function implies the existence of a hard-core 
predicate on the iterates of another function. (3) In order to construct this bit, the original 
function / is modified into a new one-way function / ', and the hard-core predicate b (-) is 
constructed with respect to the new /'. The function f\x) consists of the parallel appli- 
cation of the original/ on many copies, i.e. f'(x } ,...pc J )=(f(,x 1 ),...,f(x J )).Thcx i , s are of 
equal size, say n, and Levin's construction uses a number of copies s(n) which is any 
function that grows faster than c logn , for any constant c . For constructing a pseudoran- 
dom generator, following Blum-Micali scheme, /' should be iterated on a seed of length 
k for at least k+l iterations (4) . Recall that the seed has the form (x l> . .., x s{n $. Thus in 
order to have /' which is one-way for n s(n)+l iterations, we need that the original func- 
tion / is one-way for this number of iterations when applied to the substrings jc, of length 
n . Let t(n) be a function which is an upper bound on the function n For simpli- 

city we may assume x(/i)=n 2 . Thus, we get that in order to construct a pseudorandom 
generator it suffices to have a function / which is strongly one-way for x(n ) iterations 
when applied to strings of length n. This is Levin's sufficient (and necessary) condition 
for the existence of pseudorandom generators. (Observe that Levin's condition as 
presented in section 1.1 refers to weak one-way functions, and then a greater number of 
iterations is required). 

In our work we use the concept of "one-wayness on iterates" in a slightly modified 
way. We consider a function F( . ) defined as 

F(hjc) = {h ,F 0 (hj)) (*) 

That is, F applies a function F 0 on its arguments and concatenates the first argument h to 
this result. The advantage of considering this kind of functions is that in order to con- 
struct a pseudorandom generator based on this function, it suffices to require that the 
function F is strongly one-way for 1(1* I) iterations, instead of the x( I /r 1+1* I) iterations 
required by the straightforward application of Levin's result. The way we prove the suf- 
ficiency of this condition is as follows. First, we use Levin's modification of the function 
F into a new function F\h' ,x') for which a hard-core predicate does exist. (This is the 
same as the transformation from / to /' in the above description of Levin's construc- 
tion). An important and simple observation is that F' preserves the form (*). Then, the 

3) This part of the proof can be avoided using a recent result of Goldreich and Levin [GL]. This result states 
that any function / \x ,r ) = (f (x ),/• ), where I x I = I r I , has a hard-core predicate for the uniform distribution 
on r and any distribution on x for which / is one-way. 

4) A notable property of pseudorandom generators is that in order to have a generator which expands strings 
to any polynomial length, it suffices to construct a generator which expands strings of length k into strings of 
length k+l. This generator can be iteratively applied for polynomially many times without harming the pseu- 
dorandomness of its output [GrM]. 
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function F' is applied by the generator G for at least Ix'l+l iterations. Note that F' 
remains one-way for all these iterations, as the original FQijc) is one-way for z(\x I) 
iterates, and then pseudorandom bits can be computed by using the hard-core of 

F'. The output of G will be the string h ' concatenated with the above I a: '1+1 pseudoran- 
dom bits. That is G expands its seed into a string which is at least one bit longer. The 
pseudorandomness of the output string is proved by noting that it is unpredictable. This is 
true for the h' part because it was chosen as a truly random string, and true for the other 
bits as guaranteed by Blum-Micali scheme. Namely, the ability to predict any of these 
bits would compromise the security of the hard-core of F'. The fact that the string h' is 
output do not help the predictor because the hard-core predicate of F' is unapproximable 
even when given h'. Recall that when given F'(h',x') the string h' is explicitly 
presented. 

Summarizing we get the following Lemma. 

Lemma 1: Let x(n) = n 2 . A sufficient condition for the existence of a pseudorandom 
generator is the existence of a function F of the form 

F{hjc) = (h,F Q {hjc)) 

such that F is strongly one-way for t( I x I ) iterations. 

2.2. Main Ideas 

We prove the Main Theorem by transforming any regular and (strongly) one-way 
function into a new strongly one-way function / ' for which the conditions of Lemma 1 
hold. 

The following are the main ideas behind this construction. Since the function / is 
strongly one-way, any algorithm trying to invert / can succeed only with negligible pro- 
bability. Here the probability distribution on the range of / is induced by choosing a ran- 
dom element from the domain and applying / . However, this condition says nothing 
about the capability of an algorithm to invert / when the distribution on the range is sub- 
stantially different. For example, there may be an algorithm which is able to invert / if 
we consider the distribution on the range elements induced by choosing a random ele- 
ment from the domain and applying / twice or more (see Appendix A). To prevent this 
possibility, we "randomly" redistribute, after each application of / , the elements in the 
range to locations in the domain. We prove the validity of our construction by showing 
that the probability distribution induced on the range of / by our "random" transforma- 
tions (and the application of / ) is close to the distribution induced by the first application 
of/. 

The function /' we construct must be deterministic, and therefore the "random" 
redistribution must be deterministic (i.e. uniquely defined by the input to /')• To 
achieve this, we use high quality hash functions. More specifically, we use hash func- 
tions which map n -bit strings to n -bit strings, such that the locations assigned to the 
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strings by a randomly selected hash function are uniformly distributed and n-wise 
independent For properties and implementations of such functions see [CW, J, CG, Lu], 
We denote this set of hash functions by H(n). Elements of H{n) can be described by bit 
strings of length n 2 . In the sequel h(e H{n)) refers to both the hash function and to its 
representation. 

2.3. The Construction of /' 

We view the input string to / ' as containing two types of information. The first part 
of the input is the description of hash functions that implement the "random" redistribu- 
tions and the other part is interpreted as the input for the original function / . 

The following is the definition of the function / ': 

f\h Q , ■■■ ,h t(nyx ,i ,x) = (h 0 , ■■■ ,h l( „ hl ,i + ,h i (f(x))) 

where* e {0,1}", hj e H(n), OSi £r(n)-l. The function t(n) is a polynomial in n, and i + 
is defined as (i +1 ) mod r(/i). 

The rest of this section is devoted to the proof of the following theorem. 

Theorem 2: Let / be a regular and strongly one-way function. Then the function /' 
defined above is strongly one-way for t (n ) iterations on strings x of length n . 

Our Main Theorem follows from Theorem 2 and Lemma 1 by choosing t(n)>z(n). 

Let h 0 ,h l , ■ ■ ■ be t(n) functions from the set//(n). For r = l, • • • ,t(n), let 

g r be the function g r =/ /i r _i/ h r _ 2 f ' ' " h 0 f acting on strings of length n, let G,(n) be 
the set of all such functions g r , let g be g ((n) and let G(n) be the set of such functions g . 
From the above description of the function/' it is apparent that the inversion of an iterate 
of / ' boils down to the problem of inverting / when the probability distribution on the 
range of / is g r (x) where x <= R {0,1 J". We show that, for most g e G{n), the number of 
preimages under g for each element in its range is close (up to a polynomial factor) to the 
number of preimages for the same range element under /. This implies that the same 
statement is true for most g r <= G r (n) for all r = 1, • • • ,t(n). The proof of this result 
reduces to the analysis of the combinatorial game that we present in the next subsection. 

2.4. The game 

Consider the following game played with M balls and M cells where t(n) «M <2" . 
Initially each cell contains a single ball. The game has t(n) iterations. In each iteration, 
cells are mapped randomly to cells by means of an independently and randomly selected 
hash function he R H(n). This mapping induces a transfer of balls so that the balls resid- 
ing (before an iteration) in cell a are transferred to cell h (a). We are interested in bound- 
ing the probability that some cells contain "too many" balls when the process is finished. 
We show that after t{n) iterations, for t(n) a polynomial, the probability that there is any 
cell containing more than some polynomial in n balls is negligibly small (i.e. less than 
any polynomial in n fraction). 
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We first proceed to determine a bound on the probability that a specific set of n 
balls is mapped after t(n) iterations to a single cell. 

Lemma 3: The probability that a specific set of n balls is mapped after t(n) iterations to 

"I n-l 

nt(n) 



the same cell is bounded above by p (n ) 



M 



Proof: Let B = {b x ,b 2 , • • • , b n } be a set of n balls. Notice that each execution of the 
game defines for every ball b ; a path through t(n) cells. In particular, fixing t{n) hash 
functions h 0 ,hi, • • • ,/i,(„>_i, a path corresponding to each b; is determined. Clearly, if 
two such paths intersect at some point then they coincide beyond this point. We modify 
these paths in the following way. The initial portion of the path for b t that does not inter- 
sect the path of any smaller indexed ball is left unchanged. If the path for 6; intersects 
the path for bj for some j < i then the remainder of the path for b t is chosen randomly 
and independently of the other paths from the point of the first such intersection. 

Because the functions /i, are chosen totally independently of each other and because each 
of them has the property of mapping cells in an n -independent manner, it follows that the 
modified process just described is equivalent to a process in which a totally random path 
is selected for each ball in B . Consider the modified paths. We say that two balls b ( and 
bj join if and only if their corresponding paths intersect. Define merge to be the reflexive 
and transitive closure of the relation join (over B). The main observation is that if 
h 0 ,h 1 , ■ ■ ■ ,A )(n) _i map the balls of B to the same cell, then b x ,b 2 , • • • ,b„ are all in the 
same equivalence class with respect to the relation merge. In other words, the probability 
that the balls in B end up in the same cell in the original game is bounded above by the 
probability that the merge relation has a single equivalence class (containing all of B ). 
Let us now consider the probability of the latter event. 

If the merge relation has a single equivalence class then the join relation defines a con- 
nected graph with the n balls as vertices and the join relation as the set of edges. The 
"join graph" is connected if and only if it contains a spanning tree. Thus, an upper bound 
on the probability that the "join graph" is connected is obtained by the sum of the proba- 
bilities of each of the possible spanning trees which can be embedded in the graph. Each 
particular tree has probability at most (r (n)/Af) n_1 to be embedded in the graph {t(n)IM is 
an upper bound on the probability of each edge to appear in the graph). Multiplying this 
probability by the (Cayley) number of different spanning trees (n n ~ 2 cf. [E, Sec. 2.3]), the 
lemma follows. □ 

A straightforward upper bound on the probability that there is some set of n balls 
which are merged is the probability that n specific balls are merged multiplied by the 
number of possible distinct subsets of n balls. Unfortunately, this bound is worthless (as 

M 

( „ ) p(n)> \ (This phenomena is independent of the choice of the parameter n .). Instead 
we use the following technical lemma. 
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Lemma 4: Let S be a finite set, and let n denote a partition of S . Assume we have a pro- 
bability distribution on partitions of S. For every AcS.we define Xa(P)=1 if A is con- 
tained in a single class of the partition II and Xa(JT)=0 otherwise. Let n and n' be 
integers such that n <n'. Let p(n) be an upper bound on the maximum over all A cS 
such that \A\=n of the probability that Xa - Let qin 1 ) be an upper bound on the pro- 
bability that there exists some BcX such that \B I >n' and & =1. Then 

, is i N 
( „ )■/>(«) 



( ) 



Proof: For ScS we define 3^(11)= 1 if fl is exactly a single class of the partition n and 
4 fl (Il) = 0 otherwise. Fix a partition n. Observe that every B,\B\>n\ for which 

(IT) = 1 , contributes at least ( " ) different subsets A of size n for which Xa = 1 • Thus 
we get that 

(")■ Z 4s(n)s s ZaOI) 

Dividing both sides of this inequality by ( " ), and averaging according to the probability 
distribution on the partitions n, the left hand side is an upper bound for q(n'), while the 

( „ )/>(«) 

right hand side is bounded above by — - — ; . □ 

o 

Remark: Lemma 4 is useful in situations when the ratio is smaller than ( ^>-n 

Assuming that I, this happens when p(n) is greater than IS I - ". Lemma 3 is such 

a case, and thus the application of Lemma 4 is useful. 
Combining Lemmi 3 and 4, we get 

Theorem 5: Consider the game played for t(n) iterations. Then, the probability that 
there is 4t(n)-n 2 +n balls which end up in the same cell is bounded above by 2~ n . 

Proof: Let S be the set of M balls in the above game. Each game defines a partition of 
the balls according to their position after t(n) iterations. The probability distribution on 
these partitions is induced by the uniform choice of the mappings h . Theorem 5 follows 
by using Lemma 4 with n'=4t (n)-n 2 + n, and the bound p(n) of Lemma 3. □ 

2.5. Proof of Theorem 2 

We now apply Theorem 5 to the analysis of the function /'. As before, let G(n) be 
the set of functions of the form g =/ h,^ n y. x f ■ ■ ■ h 0 f. The functions h =hj are hash 
functions used to map the range of / to the domain of /. We let h 0 , ■ ■ ■ ,h t(n yi be ran- 
domly chosen uniformly and independently from H(n), and this induces a probability 
distribution on G(n). Denote the range of / (on strings of length n) by 
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R(n) = {z lf Z2, • - . ,z u }• Let each z, represent a cell. Consider the function h as mapping 
cells to cells. We say that h maps the cell z< to the cell z, if /i(z;)e f~\zj), or in other 
words f(h(.Zi))=Zj. By the regularity of the function /, we have that the size of / _l (z,) 
(which we have denoted by m(n)) is equal for all z, e R(n), and therefore the mapping 
induced on the cells is uniform. It is now apparent that g e R G(n) behaves exactly as the 
random mappings in the game described in Section 2.4, and thus Theorem 5 can be 
applied. We get 

Lemma 6: There is a constant c 0 , such that for any constant c >0 and sufficiently large n 

Prob\3z with \ g~\z)\ >n c "-m(n)\ <— , 

n c 

where g e R G(n). 

Let us denote by G'(n) the set of functions g eG(n) such that for all z in the range 
of/, lg~'(z)l <n c °m(n). By the above lemma, G'{n) contains almost all of G(n). It is 
clear that if g e G\n) then for all z in the range of / and for all r = 1, • • ■ ,r(n) the func- 
tion g r defined by the first r iterations of g satisfies \g~ l (z)\ <n c "m{n). 

Lemma 7: For any probabilistic polynomial time algorithm A , for any positive constant 
c and sufficiently large n and for all r = 1, • • • , t (n), 

Prob(A(g r ,z)ef-\z))<n- c 

where g r <z R G r (n) and z=g r (x),xe R {0,1}". 

Proof: We prove the claim for r=t(n) and the claim for r = \, ■ ■ ■ ,t(n) follows in an 
analogous way. Assume to the contrary that there is a probabilistic polynomial time 
algorithm A and a constant c A such that Prob(A(g,z)ef~\z)) > n - ^, where g e R G(n) 
andz=g(x),xe R {0,1}\ 

By using A , we can demonstrate an algorithm A ' that inverts / , contradicting the one- 
wayness of/. The input to A' is z =/(*) where xe R {0,1}". A' chooses g e R G(n) and 
outputs A ig,z). We show that A ' inverts / with non-negligible probability. By assump- 
tion there is a non-negligible subset G"(n) of G'(n) such that, for each g e G"(n), A 
succeeds with significant probability to compute a ye/ _1 (z) where z=g(x) and 
x <= R {0,1 }" . Since g e G '{n ), for all z in the range of / the probability induced by g on z 
differs by at most a polynomial factor in n from the probability induced by / . Thus, for 
g € G"{n), A succeeds with significant probability to compute aye / _1 (z) where z =f(x) 
and xe R {0,1 }" . This is exactly the distribution of inputs to A ', and thus A ' succeeds to 
invert / with non-negligible probability, contradicting the strong one-wayness of/. □ 

The meaning of Lemma 7 is that the function / is hard to invert on the distribution 
induced by the functions g r ,r = 1, . . . ,t(n), thus proving the strong one-wayness of the 
function /' for t (n) iterations. Theorem 2 follows. 
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2.6. Extensions 

In the above exposition we assumed for simplicity that the function / is length 
preserving, i.e. x e {0,1}" implies that the length of f(x) is n. This condition is not 
essential to our proof and can be dispensed with in the following way. If / is not length 
preserving then it can be modified to have the following property: For every n , there is 
an n' such that x e {0,1}" implies that the length of fix) is n'. This modification can be 
carried out using a padding technique that preserves the regularity of / . We can then 
modify our description of /' to use hash functions mapping zi'-bit strings to n-bit strings. 
Alternatively, we can transform the above / into a length preserving and regular function 
/ by defining f(xy)=f(x), where \x \ =n , \y \=n'-n. 

For the applications in Section 3, and possibly for other cases, the following exten- 
sion (referred to as semi-regular) is useful. Let (/,) JE (01) - be a family of regular func- 
tions, then our construction can be still applied to the function / defined as 
f(x,y) = (x,f x (y)) The idea is to use the construction for the application of the function 
f x , while keeping x unchanged. 

Another extension is a relaxation of the regularity condition. A useful notion in this 
context is the histogram of a function. 

Definition 4: The histogram of the function / : {0,1}*— *{0,1}* is a function histj :NxN— >N 
such that histfin.k) is the cardinality of the set 



[xe {0,1] 



log 2 l/ -1 </CO)l 



Regular functions have trivial histograms. Let / be a regular function such that for all 
*e{0,l}", \f~ l (f(x))\=m(n). The histogram satisfies hist f (n,k)=2 n for 



k = 



log 2 (m(n)) 



and hist j (n,k)=0 otherwise. Weakly regular functions have slightly less 
dramatic histograms. 

Definition 5: The function / is weakly regular if there is a polynomial p (•) and a func- 
tion b( ) such that the histogram of / satisfies (for all n) 
2" 



i) hist f (n,b(n))> 



P(n) 

2" 



ii) £ hist f (n,k)< 

/t=A(«>i (np(n)¥ 

Clearly, this definition extends the original definition of regularity. Using our techniques 
one can show that the existence of weakly regular strongly one-way functions implies the 
existence of pseudorandom generators. 

Observe that if the b(n)-ih level of the histogram contains all of the 2" strings of 
length n then we can apply a similar analysis as done for the regular case. The only 
difference is that we have to analyze the game of subsection 2.4 not for cells of equal 
size, but for cells that differ in their size by a multiplicative factor of at most two. Similar 
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arguments hold when considering the case where the £>(n)-th level of the histogram con- 
tains at least Vp(n) of the strings and the rest of strings lie below this level (i.e. 
histf (/i , £)=0, for k >b(n)). Note that the "small" balls of low levels cannot cause the 
cells of the 6(«)-th level to grow significantly. On the other hand, for balls bellow level 
b(n) nothing is guaranteed. Thus, we get that in this case the function /' we construct is 
weakly one-way on its iterates. More precisely, it is hard to invert on its iterates for at 
least a l/p(n) fraction of the input strings. In order to use this function for generating 
pseudorandom bits, we have to transform it into a strongly one-way function. This is 
achieved following Yao's construction [Y] by applying /' in parallel on many copies. 
For the present case the number of copies could be any function of n which grows faster 
than c -p (n )-logn , for any constant c . This increases the number of iterations for which / ' 
has to remain one-way by a factor equal to the number of copies used in the above 
transformation. That is, the number t(n) of necessary iterates increases from the original 
requirement of x(n) (see section 2.1) to a quantity which is greater than c p (n )-x(n )log« , 
for any constant c. Choosing this way the function t (n) in the definition of /' in section 
2.3, we get/' which is one-way for the right number of iterations. 

Finally, consider the case in which there exist strings above the b (n )-th level. When 
considering the game of subsection 2.4 we want to show that, also in this case, most of 
the cells of the b(n)-th level do not grow considerably. This is guaranteed by condition 
(ii) in Definition 5. Consider the worst case possibility in which in every iteration the 
total weight of the "big" balls (those above level b(n)) is transferred to cells of the b(n)- 
th level. After t(n) iterations this causes a concentration of "big" balls in the b(n)-th level 

1" 

having a total weight of at most t(n) -. Choosing t(n)='/2p(n)n 2 this weight 

{np(n)f 

2" 

will be at most - — — . But then one half of the weight in the b(n)-th level remains con- 
2/7 (n) 

centrated in balls that were not effected by the "big" balls. In other words we get that the 

function /' so constructed is one-way for t(n) iterations on — - — of the input strings. 

2p(n) 

Applying Yao's construction , as explained above, we get a function/' which fill the cri- 
terion of Lemma 1 and then suitable for the construction of pseudorandom generators. 



Further Remarks: 

1) A finer analysis allows to substitute the exponent 2, in condition (ii) of Definition 5, 
by any constant greater than 1. 

2) The entire analysis holds when defining histograms with polynomial base (instead 
of base 2). Namely, histf (njc)is the cardinality of the set 



[x e {0,1}" 



log Q („)!/-'(/ 00)1 



where Q (n) is a polynomial. 
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3. APPLICATIONS : Pseudorandom Generators Based on Particular Intractabil- 
ity Assumptions 

In this section we apply our results in order to construct pseudorandom generators 
(PRGs) based on the assumption that one of the following computational problems is 
"hard on a non-negligible fraction of the instances". 

3.1. PRG Based on the Intractability of the General Factoring Problem 

It is known that pseudorandom generators can be constructed assuming the intracta- 
bility of factoring integers of a special form [Y]. More specifically, in [Y] it is assumed 
that any polynomial time algorithm fails to factor a non-negligible fraction of integers 
that are the product of primes congruent to 3 modulo 4. With respect to such an integer 
N , squaring modulo N defines a permutation over the set of quadratic residues mod jV, 
and therefore the intractability of factoring (such N's) yields the existence of a one-way 
permutation [R]. It was not known how to construct a one-way permutation or a pseu- 
dorandom generator assuming that factoring a non-negligible fraction of all the integers 
is intractable. In such a case modular squaring is a one-way function, but this function 
does not necessarily induce a permutation. Fortunately, modular squaring is a semi- 
regular function (see subsection 2.6), so we can apply our results. 

Assumption IGF {Intractability of the General Factoring Problem): There exists a con- 
stant c >0 such that for any probabilistic polynomial time algorithm A , and sufficiently 
large k 

Prob[ A(N) does not split N j >k~ c , 

where N e R {0,1}*. 

Corollary 8: The IGF assumption implies the existence of pseudorandom generators. 

Proof: Define the following function f (N jc)=(N ,x 2 modN). Clearly, this function is 
semi-regular. The one-wayness of the function follows from IGF (using Rabin's argu- 
ment [R]). Using an extension of Theorem 2 (see subsection 2.6) the corollary follows. 
□ 

Subsequently, J. (Cohen) Benaloh has found a way to construct a one-way permuta- 
tion based on the IGF assumption. This yields an alternative proof of Corollary 8. 

3.2. PRG Based on the Intractability of Decoding Random Linear Codes 

One of the most outstanding open problems in coding theory is that of decoding ran- 
dom linear codes. Of particular interest are random linear codes with constant informa- 
tion rate which can correct a constant fraction of errors. An (n,k,d)- linear code is an k - 
by-n binary matrix in which the bit-by-bit XOR of any subset of the rows has at least d 
ones. The Gilbert-Varshamov bound for linear codes guarantees the existence of such a 
code provided that kin < 1 -H 2 {dln), where H 2 is the binary entropy function [McS, ch. 
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1, p. 34]. The same argument can be used to show (for every e>0) that if 
kin < l-// 2 ((l+e>d/n), then almost all k-by-n binary matrices constitute (n,A:,<f)-linear 
codes. 

We suggest the following function /:{0,1}*->{0,1)\ Let C be an k-by-n binary 
matrix, x e {0,1 }*, and ee£,"c {0,1 }" be a binary string with at most t = L(d-l)/2j ones, 
where d satisfies the condition of the Gilbert- Varshamov bound (see above). Clearly E" 
can be uniformly sampled by an algorithm S running in time polynomial in n (i.e. 
S:{0,l) l "'' yin) ^>E?). Let re {0,1 Y° ly< - n) be a string such that S(r)e £/*. Then, 

f(Cj,r) = (C,C(x)+S{r)), 
where C(x) is the codeword of x (i.e. C{x) is the vector resulting by the matrix product 
xC). One can easily verify that/ just defined is semi-regular (i.e. f c (x,r)=C(x)+S(r) is 
regular for all but a negligible fraction of the C's). The vector xC +e (e=S(r)) represents 
a codeword perturbed by the error vector e . 

Assumption IDLC {Intractability of Decoding Random Linear Codes): There exists a 
constant c >0 such that for any probabilistic polynomial time algorithm A , and suffi- 
ciently large k 

Prob[ A(C,C(x)+e)*x j > , 
where C is a randomly selected k -by-n matrix, x<= R {0,1 } k and e e R E t ". 

Now, either assumption IDLC is false which would be an earth-shaking result in 
coding theory or pseudorandom generators do exist. 

Corollary 9: The IDLC assumption implies the existence of pseudorandom generators. 

Proof: The one-wayness of the function / follows from IDLC. Using an extension of 
Theorem 2 (see subsection 2.6) the corollary follows. □ 

3.3. PRG Based on the Average Difficulty of Combinatorial Problems 

Some combinatorial problems which are believed to be hard on the average can be used 
to construct a regular one-way function and hence be a basis for a pseudorandom genera- 
tor. Consider, for example, the Subset-Sum Problem. 

Input: Modulo M, \M \ =n, and n+l integers a 0 - a i> ' " A of length n-bit each. 
Question: Is there a subset / c {1 , . . . , n } such that £ a, s a 0 (modA/) 

is / 

Conjecture: The above problem is hard on the average, when the a t 's and M are chosen 
uniformly in [2"-' ,2 n -l]. 

Under the above conjecture, the following weakly-regular function is one-way 
fss(a h a 2 , ■■■ ,a n ,M ,I) = (a l ,a 2 , MA. £>; modM )) 
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Appendix A: One-way functions which are not one-way on their iterates 

Assuming that/ is a (regular) one-way function, we construct a (regular) one-way 
function / which is easy to invert on the distribution obtained by iterating / twice. 
Assume for simplicity that/ is length preserving (i.e. Y(x)\ = \x I). Let \x I = \y I and 
let 

f(xy) = 0^ l f(x) 

Clearly, / is one-way. On the other hand, for every xy e {O.I} 2 ", /</(xy))=0"/(0") and 
0"/((T)6/- 1 (0 n /(0")). 
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Introduction 

Most of the work done in cryptography in the last few years depend on the hardness 
of a few specific number theoretic problems, such as factoring, discrete log, etc. Since no 
one has so far been able to prove that these problems are genuinely hard, it is clearly of 
interest to find new candidates for hard problems. In this paper, we propose such a new 
candidate problem, namely the problem of predicting a sequence of consecutive Legendre 
(Jacobi) symbols modulo a prime (composite), when the starting point and possibly also 
the prime is unknown. Clearly, if this problem turns out to be hard, it can be used directly 
to construct a cryptographically strong pseudorandom bitgenerator. Its complexity seems 
to be unrelated to any of the well known number theoretical problems, whence it may be 
able to survive the discovery of fast factoring or discrete log algorithms. Although the ran- 
domness of Legendre sequences has part of the folklore in number theory at least since the 
thirties, they have apparently not been considered for use in cryptography before. 

We first survey some known results about the distribution of squares and nonsquares 
modulo a prime. These results all support the assumption that Legendre sequences look 
random with respect to elementary statistical tests. 

We then use Levin's Isolation Theorem [BoHi] to relate the complexity of predicting 
Legendre sequences to the complexity of predicting Jacobi sequences. The main result of 
this is that if Legendre sequences are unpredictable in a very weak sense, then Jacobi 
sequences modulo composites with enough prime factors are strdngly unpredictable, as 
required for cryptographic strength. 

We end the paper by giving results of some emphirical tests on Legendre sequences, 
carried out for prunes of length 25 to 400 bits. Also some possibilities for generalizing the 
ideas are mentioned. These ideas give significant efficiency improvements over the basic 
Legendre generator. 



'This research was supported by the Danish Natural Science Research Council. 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 163-172, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 



164 



1. Notation 

Let p be a k -bit prime, and let a e Z*. We then define the Legendre symbol of a 
modulo /?,(—) to be 1 if a is a square modulo p , and -1 if a is a non square. For conveni- 
P 0 

ence, we define (— ) to be 1. 
P 

When n = p t • • ■ p r is a k -bit composite with prime factors p 1( . . . , p r , we define the 

Jacobi symbol of a modulo n to be (— ) = (— ) • - • (— ), for 0 < a <n-l. 

" Pi Pr 

The Legendre sequence with starting point a and length / is the +- 1 sequence 

(^).(^L),---.(^). 
p p p 

Jacobi sequences are denned correspondingly. 

We can now state formally our basic problem: 

Problem PI. 

Let L be the Legendre sequence modulo p with starting point a and length P {k ), for some 

a +P (k )+l 

polynomial?. Given L (but not a orp), find ( )□ 

P 

Correspondingly for Jacobi symbols: 
Problem P2. 

Let / be the Jacobi sequence modulo n with starting point a and length P (k ), for a poly- 
nomial P . Given J , find C— — — — ) □ 

n 

2. Known Results On the Distribution of Squares Modulo a Prime 

The distribution of quadratic residues and non residues has been studied at least since 
the end of the last century. One of the first major contributions was made by Davenport 
[Da]: 

Let S be a finite sequence of +-l's of length /. Let p(S) be the number of 
occurrences of S in the complete Legendre sequence of p , i.e. the number of a s Z p such 
that 

(^>,(^),---.(^) = s 

P P P 

Davenport proved that 

p(S) = -^- + 0{p% 
7 

where e is a constant between 0 and I which is only a function of /. In other words: the 
distribution of subsequences of fixed length tends to the uniform distribution exponentially 
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in log 2 (p ). A uniform distribution is of course what one would expect from a really ran- 
dom sequence. 

Perron [Pe] proved a more specific result: let SQ (p ) be the set of quadratic residues 
in Z p . Then for any a , the set a +SQ (p ) contains almost exactly as many squares as non 
squares, the difference being 0 or 1, depending on whether p is 1 or 3 modulo 4. A similar 
result holds for Z p -SQ (p ). This has a number of immediate consequences: 

By setting a =1, we get p (1,1 )=p(-l,l)=p (l,-l)=p (-1,-1), where the differences are 
at most 1 . 

In general, pairs of symbols separated by a fixed distance are uniformly distributed. 

Define a block to be a run of consecutive l's or -i's. Then by setting a=\ we see that 
half the 1 *s in the Legendre sequence of p are at the end of a block, and similarly for 
-1 's. Therefore the average length of a block is 2. 

Later, Burde [Bu] extended Perron's result for p 's congruent to 3 modulo 4. He 
obtained a system of linear equations with the number of occurrences of subsequences of a 
fixed length as unknowns. The rank of the system is quadratic as a function of the length 
of the subsequences considered, and therefore the equations quickly become insufficient to 
determine the complete distribution. 3 is the largest length for which it can be done, and as 
for length 2, the distribution is uniform, apart from an "error" of order p~ l . 

Thus the results of Perron and Burde also support the assumption that Legendre 
sequences will look random with respect to elementary statistical tests. 

From the work of Bach [Ba], one can get very interesting estimates on the distribu- 
tion of subsequences whose length is allowed to grow with the size of the prime, in con- 
trast with Davenport's results. This is based on results from algebraic geometry by Weil. 
For example, for p congruent to 3 modulo 4, one can obtain that 

2' 2 

for any 5 of length / . Thus, there is a limit to "how bad" the distribution of subsequences 
can be, for example at least 

2' ^ 

<p +2 /-I (/-i) 

different subsequences of length / must occur in the complete Legendre sequence. In fact, 
the results are much more general, and can give information also about the distribution of 
other character values. 

But since the bounds clearly get looser as the length / increases, we are still a long 
way from results that would imply the impossibility of predicting Legendre sequences in 
polynomial time. 

Many other researchers (Eliott [El], Burgess[Bur]) have looked at this problem from 
other angles, typically they have been concerned with finding the smallest quadratic non 
residue, finding the first occurrence of a given substring, etc. Thus these results do not say 
much about the overall distribution, which is of course what we are interested in. 
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The main conclusion of all this is a negative one: nothing has been found in the last 
100 years or so, which immediately renders Legendre sequences useless for pseudorandom 
bit generation. 

3. Jacobi Sequences are Harder to Predict than Legendre Sequences 
Let us first define formally the Legendre generator : 

Definition 3.1 

Let Q be a polynomial. Then with security parameter value k, the Legendre generator 
takes as input ("seed") a randomly chosen A: -bit prime p and a uniformly chosen -bit 
number a . It produces as output the Legendre sequence modulo p with starting point 
a mod/? and length Q(k), where Legendre symbols are translated into bits such that -1 
corresponds to a 1-bit, while I corresponds to a 0-bit. This sequence will be called 
L(p ,a), and its / 'th element will be denoted L (p ,a ) L □ 

Similarly, we define the Jacobi generator: 

Definition 3.2 

Let P and Q be polynomials. Then with security parameter value k, the Jacobi generator 

takes as input Q(k) randomly chosen Xr -bit primes p { PQ(k) Q(k) uniformly 

chosen k -bit numbers a j. . . . ,ag^ k y Put n = p t • • ■ Pq^^ and let a be chosen, such that 
a is congruent to a t modulo p t for i ' = 1 • ■ ■ Q {k ) [p { = pj for (' * j only happens with 
negligible probability). The generator produces as output the Jacobi sequence modulo n 
with starting point a and length P(k), where Jacobi symbol are translated into bits as 
above. The sequence will be called / (n ,a ), and its i 'th element will be called J(n ft ), □ 

Yao [Kr] has proved that, if given a prefix of the output from a pseudorandom bit 
generator, it is still hard to predict the next bit, then output from the generator cannot be 
distinguished from truly random sequences by any feasible algorithm. Thus, informally 
speaking, all we have to do in order to prove the strength of our generators is to show that 
P 1 or P 2 are hard problems. This can also be stated using Levin's concept of isolation 
[BoHi]: consider some prefix of the output from the generator as a function of the seed. 
Then we would like the bit following the prefix to be isolated from the prefix itself. 

In general, we can think of a pseudorandom bit generator as a probabilistic algorithm 
G which takes input x chosen from a finite set X m , where {X m ) ~ =l is a family of finite 
sets, and m can be thought of as a security parameter. The output G(x) is a bitstring 
whose / 'th bit is denoted G(.t ), . We now have the following more formal definition of 
next-bit-security: 

Definition 3.3 

The generator G is said to be strongly unpredictable , if for all polynomials P and proba- 
bilistic circuits C , the following holds only for finitely many m : 
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there exists an i , such that 

Prob {C (G(x) l G {x ),•_!> = G {x ), ) >\ + — l — , 

L r (m ) 

where C(G(.t) 1( . . . ,G{x );_{) denotes the output of C on input G{x) v . . . ,G(.v),_i, and 
the probability is taken over the coinflips of C and a uniform choice of x € X m Q 

Definition 3.4 

The generator G is said to be weakly unpredictable , if the statement in Definition 3.3 

holds, with the probability — + — - — replaced by 1 □ 

2 P (m ) P(m) 

Thus, for weak unpredictability, we allow algorithms that guess better as m increases, 
as long as the success probability does not approach I too rapidly. 

For the next results, we need some more notation: 
Definition 3.5 

Let G be a pseudorandom bitgenerator as above, and let Q be a polynomial. Then is a 

pseudorandom bitgenerator which takes as input x = (x x <*,)). where .r, e X m are 

cosen uniformly and independently. It produces as output the sequence whose j 'th ele- 
ment is 

G e (.t),-=G ®G(.Vg (m) ); 

We now quote from [BoHi] the following definition and theorem: 
Definition 3.6 

Let {X m ) be an infinite family of finite sets, and let B be a function mapping X m to 
(0,1 ) . Let / be a function such that / : X m -> {0,1 } P{m) for some polynomial P . Then 
we say that B is (p ,T)-isolated from / if every circuit with Q(m ) inputs and size at most 
T satisfies 

\Prob(C(f(x)) = B(x))-j\ <|, 
where x is chosen uniformly from X m □ 

Thus, isolation measures the hardness of predicting B {x ) given / (x ). 

Theorem 3.1 (Levin's Isolation Theorem) 

If the functions b t U, ) are [p J ) isolated from (jc ; ) for all 1 < i < n , then for every e>0, 
the function b ^x x ) © • ■ - © b n (x n ) is (p"+E, z\\-p ^-isolated from 
ZiUi) /*(*„)□ 
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From this follows: 
Theorem 3.2 

Suppose that the pseudorandom bitgenerator G is weakly unpredictable. Then G m is 
strongly unpredictable. 

Proof. 

For x € X m , let P, {G {x )) denote the prefix of G (x ) of length i -1 . Then weak unpredicta- 
bility implies that for all i smaller than the outputlength of G, G(.t), is 
2 

(1— , 7"(m))-isolated from P ; (G(.v)) for arbitrary polynomials R and T and all 

2 

sufficiently large m . Put p{m) = I . Using the notation of Definition 3.5, we obtain 

m , 

from Levin's theorem by choosing R{m)-m that G m (-O, is 

(p{m) m ' + z, t\\-p{m)) 2 T{m))- isolated from P^GixJ) ?i(G(.r m :)). From this 

last bit string, it is easy to compute P^G"' {x)). Moreover, p(m ) m converges to 0 faster 
than any polynomial fraction. From these facts, we get the strong unpredictability of G m 

by choosing e = , where P is the polynomial from Definition 3.3 □ 

P{m ) 

Alternatively, we could have used Yao's xor-Theorem, although the conclusion of 
that theorem as stated in [Kr] is slightly weaker than that of Levin's Theorem. 

Theorem 3.2 was already known (see [Kr]) for the special case of generators con- 
structed with an unapproximable predicate and a friendship function [BlMi]. 

We call attention to two points in connection with this result, which are of interest 
from a cryptographic point of view: 

What Theorem 3.2. proves is that the next bit of the XOR of several generators is 
hard to predict, even when given prefixes of the output from each individual genera- 
tor. But in a known plaintext attack on the resulting cryptosystem, a cryptanalyst 
only knows the XOR of the prefixes, and therefore seems to be faced with an even 
harder problem. It would be very interesting to find out, whether the conditions on G 
needed to make G^ strong can be relaxed using this fact. 

With essentially the same argument as for Theorem 3.2, one can prove a more general 
statement, which loosely speaking says that if the generator G cannot be predicted 

with probability better than 1 — for some polynomial R , then the generator 

R{m) 

G m {n,} is strongly unpredictable. In other words: by XOR-ing more "copies" of G, 
one can get away with a weaker assumption on the security of G . 

It is now trivial to prove: 
Corollary 3.1 

If the Legendre Generator is weakly unpredictable, then the Jacobi Generator is strongly 
unpredictable □ 
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Proof. 

By the way we translate Legendre and Jacobi symbols into bits, it is clear that the Jacobi 
generator in fact outputs the xor of the output of several Legendre generators. We can 
therefore use Theorem 3.2 □ 

4. Emphirical Tests 

A number of elementary statistical tests were performed on primes and sequences of 
various lengths. The primes were of length approximately 25, 50, 100, 200 and 400 bits, 
and 6 primes of each length were tested. The sequence length was fixed to 100-log2(p )- 

The sequences were generated using special purpose hardware (a FAP4- processor), 
and the tests included: 

A Chi-square test for equidistribution of subsequences of length 1 to 10. For each 
subsequence length a Chi-square value was computed based on the occurrences 
found. Representative results for the distribution of these Chi-square values can be 
found in Fig. 1 . 

A Chi-square test on the distribution of block lengths. This produced results quite 
similar to those of the subsequence test. 

A test on the linear complexity of the strings. Using the Berlekamp-Massey algo- 
rithm, the linear complexity of prefixes of the Legendre sequences was computed. 
For a really random sequence, the linear complexity is expected to be close to half the 
sequence length [Ru]. Our sequences seem to fit nicely with this expectation. Fig. 2. 
shows a typical result. 

No statistical weaknesses were found during these tests, and moving to composite 
numbers and Jacobi symbols produced no significant change in the results. 

This can hardly be said to be surprising: as mentioned, all known results indicate, that 
a highly non-elementary test would be needed to detect any weakness in the Legendre gen- 
erator. 

Finally, let us remark that the tests mentioned here are just preliminary. Many other 
and more sophisticated tests with larger test material could (and should) be carried out. 

5. Practical Implementation 

If one wants to use special purpose hardware in implementing this system, using 
Gauss's Reciprocity Theorem for computing Legendre symbols hardly seems an attractive 
solution, at least judging from the hardware available today: most modular arithmetic 
chips are much better suited for exponentiation. 

Computing Legendre and Jacobi symbols by exponentiation is cubic in the length of 
the modulus, and therefore slower asymptotically than generators based on squaring 
modulo a composite. In practice, the difference may not be so large, however, since it is 
not clear at all, that one must use primes large enough to make discrete log hard, for exam- 
ple. 
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If for example we use the Jacobi generator with 2 prime factors of size about 25 bits, 
this produces an effective key space of more than 90 bits, which is certainly enough to 
prevent exhaustive search. 

If one is willing to use the same amount of hardware as would be needed for a 600 bit 
RSA implementation, one could compute 12 bits of the keystream in parallel, which with 
state of the art hardware would give a speed of about 100 Kbits pr. sec. Even use of just 2 
25-bit slices would still give a speed of about 10 Kbits pr. sec. 

6. Generalizations 

The method we present can be generalized in several ways: 

6.1. The Linear Congruence Method 

First, one could consider, in stead of Legendre symbols of consecutive numbers, sym- 
bols for numbers generated by the well known Linear Congruence Generator, i.e. taking 
Legendre symbols for a sequence a t • • • a„ , where 

a l+i = (m a,- + b ) mod p , 

for constants m and b , and a prime p . Note, however, that since 

a, = m'~ l a t + m'~ 2 b +■ ■ ■ + mb + b, 

then by the multiplicative property of Legendre symbols, 

P P P 

where a \ = a l b~ l , and a = ma + I . So if this generalization is used in a cryptosys- 
tem, there is no point in including the choice of b in the key: up to a sign, all the possible 
sequences can already be obtained just by using b=l and varying the starting point a j. 
Variation of m , on the other hand, does seem to generate new sequences compared to the 
basic Legendre generator. This introduces a possibility of enlarging the key-space without 
using a larger prime. 

One should take some care, however, in choosing m . as shown by the following 
Lemma: 

Lemma 6.1 

The period of the sequence defined by a l = a and a I+1 = (ma, + b ) mod p for a prime p is 
p if«i=l 

ord (m ) if m * 1 , and a * — ^~ 

m-l 

1 otherwise, 

where ord (m ) denotes the order of m as element in Z*. 
Proof. 

The m=l-case is trivial. For the other cases, use the recurrence 
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, k m -i v . 

<* n+ k =im a n + r) modp 

m-1 

and elementary number theory □ 

Thus, the starting point for the sequence should be chosen different from — — , and 

m -1 

ord {m ) should be large. This can be ensured by choosing p such that the factorization of 
p—l is known, computing the order of a candidate m from this, and discard low-order m 's. 
In practice, however, it is probably better to construct p such that p-1 has a large prime 
factor q . Then an m chosen uniformly from ]0 ■ • • p-l] will have order divisible by q 
with probability l-q~ l . 

Finally, let us remark that the results of Perron (see Section 2) for the basic Legendre 
sequences are easily seen to generalize to sequences generated by the method from this 
section. 

6.2. Using Other Character Values 

Another interesting idea is to consider other characters than the quadratic one. Such 
character values can also be produced easily by exponentiation: If q is a divisor in p - 1 , 
then a — * a^ _1>/ * is a surjective homomorphism from Z* to G , the subgroup of order q . 
By choosing some 1-1 correspondence between elements of G and the set of complex q 'th 
roots of unity, each element in G corresponds to one of the q possible values of the 
corresponding character of Z p . These elements can be represented by bit strings of length 
approximately log 2 (<j ). We can therefore construct a generator by computing a^ -1 ^ for 
consecutive values of a, and at each point output the corresponding bit string. Clearly, 
there is a limit to how large q can be chosen before the generator becomes insecure (just 
consider q=p-l\). Determining the maximal useful value of q will be an interesting field 
for new research. This problem can be thought of as corresponding to that of rinding out 
how many of the least significant RSA-bits are cryptographically secure (see for example 
[MiSc]). 

7. Conclusion and Open Problems 

We have presented a new pseudorandom bit generator, based on a number theoretic 
problem, the complexity of which may be unrelated to the well known candidate hard 
problems in number theory. 

We have seen that to prove the cryptographic strength of the generator, it is enough to 
prove that Legendre Sequences are weakly unpredictable. 

A number of open problems remain, however: 

Are Legendre sequences weakly unpredictable'? 

Is the complexity of predicting Legendre sequences related to other number theoretic 
problems? 

Are other characters than the quadratic one usable for pseudo random generators? 
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1. Introduction 

A random number generator (RNG) is an efficient algorithm that transforms short 
random seeds into long pseudo-random strings. A classical RNG is the linear congruential 
generator (LCG) that is based on the recursion x i+ i ax* + b (mod N). It is well known 
that the LCG passes certain statistical tests, e.g. for a clever choice of the parameters 
a,b,N it generates well mixed numbers (see Knuth 1980). There are more elaborate 
statistical tests which the LCG fails. Stern (1987) shows that the sequence generated by 
the LCG can be inferred even if the parameters a,b,N and the seed xo are all unknown. 

The concept of perfect random number generator has been introduced by Blum, Micali 
(1982) and Yao (1982). A RNG is perfect if it passes all polynomial time statistical tests, 
i.e. the distribution of output sequences cannot be distinguished from the uniform 
distribution of sequences of the same length. So far the proofs of perfectness are all 
based on unproven complexity assumptions. This is because we cannot prove 
superpolynomial complexity lower bounds. 

Perfect random number generators have been established for example based on the 
discrete logarithm by Blum, Micali (1982), based on quadratic residuosity by Blum, 
Blum, Shub (1986), based on one way functions by Yao (1982), based on RSA encryption 
and factoring by Alexi, Chor, Goldreich and Schnorr (1984). All these RNG's are less 
efficient than the LCG. The RSA/RABIN-generator is the most efficient of these 
generators. It successively generates log n pseudo-random bits by one modular 
multiplication with a modulus N that is n bit long. The modulus N must be at least 512 
bits long. 

We extend and accelerate the RSA-generator in various ways. We give evidence for more 
powerful complexity assumptions that yield more efficient generators. Let N - pq be 
product of two large random primes p and q and let d be a natural number that is 
relatively prime to <p(N) » (p-l)(q-l). The number d must be small compared to log N so 
that the interval [l,N 2/d ] is sufficiently large. We conjecture that the following 
distributions are indistinguishable by efficient statistical tests (see Hypothesis 2.1): 

• the distribution of x d (mod N) for random x S [\,N 2 ^]. 
■ the uniform distribution on [1,N]. 

This hypothesis is closely related to the security of the RSA-scheme. Under this 
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hypothesis the transformation 

[l,N 2/d ] 9 x ~ x d (mod N) 6 [1,N] 

stretches short random seeds x e [l,N 2/d ] into a pseudo-random numbers x d (mod N) in 
the interval [1,N], We build various random number generators on this transformation. 
The sequential polynomial generator (SPG) generates from random seed x £ [l,N 2/d ] a 
sequence of numbers x - x 1 ,x 2 ,...,x 1 ,...£ [l,N 2/d ]. The n(t-2/d) least significant bits of 
the binary representation of xf(mod N) are the output of Xj and the 2n/d most 
significant bits form the successor Xj +1 of Xj. 

It follows from a general argument of Goldreich, Goldwasser, Micali (1986) and the 
above hypothesis that all these generators are perfect, i.e. the distribution of output 
strings is indistinguishable, by efficient statistical tests, from the uniform distribution 
of binary strings of the same length. The sequential generator is nearly as efficient as 
the LCG. Using a modulus N, that is n bit long, it outputs n(l-2/d) pseudo-random bits 
per iteration step. The costs of an iteration step x — x d (mod N) with x e [l,N 2/d ] 
corresponds to the costs of about one full multiplications modulo N. This is because the 
evaluation of x d (mod N) over numbers x < N 2 ^ d consists almost entirely of 
multiplications with small numbers that do not require modular reduction. 

We extend the SPG to a parallel polynomial generator (PPG). The PPG generates from 
random seed x € [l,N 2 ^ d ] a tree. The nodes of this iteration tree are pseudo-random 
numbers in [l,N 3 ^ d ] with outdegree at most d/2. To compute the successor nodes 
yO).-.y(s) and the output string of node y we stretch y into a pseudo-random number 
y d (mod N) that is n bits long. Then the successors y(1),...,y(s) of y are obtained by 
partitioning the most significant bits of y d (mod N) into s < d/2 bit strings of length 
l_2n/dj . The output of node y consists of the remaining least significant bits of y d (mod 
N). Any collection of subtrees of the iteration tree can be independently processed in 
parallel once the corresponding roots are given. In this way m parallel processors can 
speed the generation of pseudo-random bits by a factor m. These parallel processors need 
not to communicate; they are given pseudo-independent input strings and their output 
strings are simply concatenated. The concatenated output of all nodes of the iteration 
tree is pseudo-random, i.e. the parallel generator is perfect. The PPG enables fast 
retrieval of substrings of the pseudo-random output. To access a node of the iteration 
tree we follow the path from the root to this node. After retrieving a bit the subsequent 
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bits in the output can be generated at full speed. Iteration trees of depth at most 60 are 
sufficient for practical purposes; they generate pseudo-random strings of length 10 20 (for 
outdegree 2) such that individual bits can be retrieved within a few seconds. 

The parallel generator is based on a method that has been invented by Goldreich, 
Goldwasser and Micali (1984) for the construction of random functions. Our contribution 
consists of the observation that this construction can be applied to speed every perfect 
random number generator by a factor m using m parallel processors. Using this principle 
and sufficiently many parallel processors we can generate pseudo-random bits with 
almost any speed. This important method of parallelization applies to all perfect RNG's 
but the RSA-generator is particularly suited for this method. Our method of 
parallelization does not apply to imperfect RNG's as the LCG since this method can 
further detoriate a weak generator. 

The paper is organized as follows. In section 2 we formulate our basic Hypothesis which 
is somewhat stronger than the assumption that factoring large integers is difficult. We 
give support to this hypothesis and show that a weak version of it follows from the 
assumption that the RSA-scheme is safe. We present in section 3 sequential and parallel 
random number generators that are based on this hypothesis. In the open problem session 
we question whether there exist perfect pseudo-random number generators that use a 
prime modulus. This would lead to pseudo-random number generators which use a 
modulus that is only 224 bits long. 



2. The Complexity Assumption for the Polynomial Random Generator 

Let P(x) be a polynomial of degree d > 2 with integer coefficients and let N be an 
integer that is a bits long, i.e. 2 n " 5 < N < 2°. We denote / - L 2n / d J • Residue classes 
modulo N are identified with the corresponding integers in the interval [1,N]. 

The polynomial generator is based on the transformation 

[1,M] 3 x — P(x) mod N (1) 

where x ranges over a sufficiently large subinterval [l.M] of [1,N]. We would like that 
the outputs of (1), for random x S [1,M] and given N, M and P, be indistinguishable 
from random y <= [1,N]. The following conditions and restrictions are clearly necessary. 
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• the modulus N must be difficult to factor since given the factorization of N we can 
easily invert (1). 

• The interval [1,M] must be so large that a random seed x e [1,M] cannot be easily 
recovered from P(x) (mod N) by guessing x. M must be sufficiently large to make 
P(x)/N large for almost all x € [l.M]. This is because we can easily invert (1) 
provided that P(x)/N is small. 

• P{x) must not be a square polynomial. If P(x) » Q(x) 1 for some polynomial Q then 
the Jacobi-symbol [^^"] is 1 f or all x whereas prob £ j^j - lj - prob £ 

■ -1 j for random y 6 [1,N], Since the Jacobi-symbol can be evaluated efficiently we 
can distinguish P(x) mod N from random numbers y e [1,N]. 

• P(x) must not be a linear transform of a square polynomial. If P(x) » aQ(x) 2 + b we 
can, from P(x) mod N, recover Q(x) 1 mod N and check that [^^~] " 

We choose N,M,P(x) as to correspond to these conditions. Let N be a random number that 
is uniformly distributed over the set 
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N - p-q for distinct primes p,q 
such that 2 < p,q < 2 



of integers that are products of two distinct primes which each is n/2 bits long. We 
choose the interval length M proportional to 2 2n/d , M - *(2 Jn/d ); i.e. 1/c < 2 2n/d / M < c 
for some absolute constant c > 0. Then M is proportional to N 2 ' d for all N e S„. The 
choice for the polynomials P(x) seems to be subject to only a few restrictions. We are 
going to study a particular class of permutation polynomials where the hypothesis below 
can be justified by known theory. These are the RSA-polynomials P(x) - x d with d 
relatively prime to <p(N) - (p-l)(q-l). 

Rivest, Shamir and Adleman (1978) have invented the RSA-cryptoscheme that is based 
on the multiplicative group 



Zn - { x(mod N) | gcd(x.N) - 1 } 
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of residue classes modulo N that are relatively prime to N. The integer N is product of 
two odd primes, N - p.q. The order of the group Zn is ip(N) - (p-l)(q-l). The 
transformation 

x — x d (mod N) (2) 

with gcd(v(N),d) - 1 is a permutation on the residue classes modulo N, i.e. it permutes 
the integers in the interval [1,N]. The inverse transformation is given by x — x* 
(mod N) where e « d" 1 mod p(N). The permutation (2) with gcd(p(N),d) - 1 and d f 
1 is an RSA-enciphering function. The enciphering key d does not reveal the inverse key 
e provided that p(N) is unknown. Knowledge of p(N) is equivalent to knowing the 
factorization N =■ pq. The security of the RSA-scheme relies on the assumption that 
RSA-enciphering x -> x d (mod N) is difficult to invert when d, N are given but p(N) 
and e » d 1 mod <p(N) are unknown. All known methods for inverting RSA-enciphering 
require the factorization of N. 

We are going to show that the following hypothesis is closely related to the security of 
the RSA-scheme. Our random number generators will rely on this hypothesis. 

Hypothesis 2.1 Let d > 3 be an odd integer and I - \_2n/d\ . For random N 6 S n such 
that gcd(d,<p(N)) - / and for all M • 9( 2 l ) the following distributions on [l,N] are 
indistinguishable by polynomial lime statistical tests: 

■ the uniform distribution on [ l.Nf, ■ x* (mod N) for random x £ [ IMJ. 

We explain the hypothesis in more detail. The concept of a statistical test has been 
introduced by Yao (1982). A polynomial time statistical test is a sequence T » (T„) n elN 
of probabilistic algorithms with a uniform polynomial time bound n 0 ^ 1 '. According to 
Yao it is sufficient to consider statistical tests with 0,1-output. Let 

pj - prob[T n (y,N) - 1] 

be the probability that T a outputs 1. The probability space is that of all integers N 6 S„ 
with gcd(d,¥>(N)) - 1, all numbers y S [1,N] and all 0-1 sequences of internal coin 
tosses, with uniform distribution. Let Fl(M) be the same probability with random 
numbers y € [1,N] replaced by y - x d (mod N) for random x € [l.M] and fixed d. The 
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hypothesis means that for every polynomial time statistical test T and all M n * 9(2 ) 

lim \x>1 - p~n(M n )| n' - 0 for all t > 0. (3) 
n 

In particular the hypothesis means that any polynomial time algorithm can at most 
factor a negligible fraction of the integers in S n . There are algorithms that can 
efficiently factor a very small fraction of the integers in S n , e.g. Pollard's p-method 
efficiently factors all integers N - p • q such that either p-1 or q-1 is a product of small 
primes. But no algorithm is known that can factor in polynomial time a n"'-fraction of 
the integers in S„ for some fixed t > 0. 

We introduce some useful terminology. We say that the statistical test T e n -rejects 
RSA-ciphertexts x d (mod N) of random x € [1,M„] if |pl - F?(M n )| > t a for infinitely 
many n. If (3) holds for all polynomial time statistical tests T we call RSA-ciphertexts 
x d (mod N) of random messages x € [l,M n ] pseudo-random in [1,N]. In this case the 
distributions of x d (mod N) for random x e [1,M„] and the uniform distribution on [1,N] 
are called indistinguishable. 

In general two sequences of distributions (D„) n6 jN and (D n ) n elN are called 
indistinguishable if for every pol. time statistical test (T a ) o6 ]N, that is given random 
inputs with respect to D„ (D n , resp.) the probability pj (p~J, resp.) of output 1 satisfy 
lim \p1 - p nl n ' " 0 for all t > 0. In case of indistinguishable distributions D„, D„, where 

n 

D„ is the uniform distribution on set C„, random elements with respect to D„ are called 
pseudo-random in C n . In case of pseudo-random pairs (x,y) we call x and y 
pseudo-independent. A random number generator is called perfect if it transforms 
random seeds into pseudo-random strings. 

It can easily be seen that the Hypothesis 2.1 can only fail if RSA-enciphering leaks 
partial information on RSA-messages. 

Fact 2.2 Suppose Hypothesis 2.1 fails. Then given d and N we can distinguish between 
RSA-ciphertexts x d (mod N) of random messages x e [ LN] and of random messages x e 
[I.M„] for some M n - 9(2 l ). 

Proof The transformation x — x d (mod N) permutes the integers in the interval [1,N]. 
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The RSA-enciphering x (mod N) of random messages x e [1,N] is uniformly distributed 
over [1,N]. If Hypothesis 2.1 fails the uniform distribution can be distinguished from 
RSA-ciphertexts x d (mod N) for random x 6 [1,M„] ; i.e. RSA-ciphertexts x d (mod N) 
would leak information on whether the message x is contained in [1,M„]. QED 

Fact 2.2 does not mean that the RSA-scheme breaks down if the hypothesis fails. This is 
because messages in the interval [1,2'] are rather unlikely. Nevertheless the hypothesis is 
close to the security of the RSA-scheme. Using the following Theorem 2.3 we can relate 
the hypothesis to RSA-security (see Corollary 2.5). 

Theorem 2.3 Alexi, Chor, Goldreich, Schnorr (1984) 

Let d,N be integers such that gcd( d,tp( N) ) « /. Every probabilistic algorithm AL. which 

given the RSA-enciphering x° mod N) of a message x. has an e^-advantage in guessing the 

least significant bit of the message x, can be transformed (uniformly in N) into a 

probabilistic algorithm AL for deciphering arbitrary RSA-ciphertexts. The deciphering 

algorithm AL, when given for input x^(mod N), d and N, terminates after at most 
-8 1 

Of&H n ) elementary steps and outputs x with probability at least 1/2. 

We count for elementary steps the Z^-operations (addition, multiplication, division), 
RSA-encryptions and calls for algorithm AL at unit cost. We say that algorithm AL has 
an t^-advantage in guessing the least significant bit of x if 

prob[AL(x a (mod N),N) - x(mod 2)] > y + e N . 

The probability space is the set of all x e H,N] and all 0-1 sequences of internal coin 
tosses, with uniform probability. 

By Theorem 2.3 the security of the RSA-scheme with parameters N, d implies that the 
following two distributions cannot be distinguished given only N and d: 

- the uniform distribution on [1,N], 
• x d (mod N) for random, even x e [1,N]. 
Everyone who is able to distinguish these distributions can decode arbitrary 
RSA-ciphertexts x d (mod N) given only N and d. We will present in Corollary 2.4 a more 
formal version of this statement. 
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We say that a probabilistic algorithm AL e N -rejects the distribution D on [t,N] if 

IP " P I > i!» 

where p A (p A , resp.) is the probability that AL on input y s [1,N] outputs 1. The 
probability space is the set of all y s [1,N], distributed according to D (with uniform 
distribution, resp.) and of all 0-1 sequences of internal coin tosses of algorithm AL. 
Using this notion we can reformulate Theorem 2.3 as follows. 

Corollary 2.4 Let d. N be integers such that gcd(d.<p(N)) * I. Every probabilistic 
algorithm AL, that ^-rejects RSA-ciphertexts x^(mod N) of even random messages x can 
be transformed (uniformly in N) into a probabilistic algorithm for decoding arbitrary 
RSA-ciphertexts. This deciphering algorithm terminates after at most 0( erf n 3 ) elementary 
steps (i.e. TLjf-operations. RSA-encryptions and calls for AL). 

We next show that Corollary 2.4 remains valid if we replace RSA-ciphertexts of random 
even messages x, by RSA-ciphertexts of random messages x € [l,N/2]. 

Corollary 2.5 Let d, S be odd integers such that gcd(d,p(N)) - /. Every probabilistic 
algorithm AL. that e^-rejects RSA-ciphertexts x*(mod N) of random messages x e 
/ J. N/2 J, can be transformed ( uniformly in N) into a probabilistic algorithm for decoding 
arbitrary RSA-ciphertexts. This deciphering algorithm terminates after at most 0( n* ) 
elementary steps. 

Proof For odd N and all x € [1,N] we have 

x e [l.N/2] «* 2x(mod N) is even 
(i.e. x e [l.N/2] iff the representative of 2x(mod N) in [1,N] is even). 

We see from this equivalence that the following distributions are identical for odd N: 
• x d (mod N) for random x e [l.N/2] , 
■ 2* d y d (mod N) for random even y 6 [1,N]. 
Moreover we can transform in polynomial time y d (mod N) into 2 d y d (mod N). Thus an 
e N -rejection of RSA-encipherings x d (mod N) of random messages x e [!,N/2] can be 
transformed (uniformly in N) into an «n-rejection of RSA-ciphertexts y d (mod N) of 
random even y e [1,N]. Corollary 2.5 follows from Corollary 2.4 by this transformation. 

QED 

Under the assumption that the RSA-scheme is safe Corollary 2.5 proves a slight 
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modification of our hypothesis. The interval [1,2 ] of Hypothesis 2.1 is replaced by the 
interval [l.N/2] in this modification. This poses the question whether the length of the 
interval is crucial for the hypothesis to be valid. We next show that Hypothesis 2.1, with 
the interval [1,2'] replaced by the interval [1,N 2'^°*^], is valid if the RSA-scheme is 
safe. 

Theorem 2.6 Let d. <V be odd integers such that gcd( d.f>( N)) * I. Every probabilistic 
algorithm AL, that e^-rejects RSA-ciphertexts x d (mod N) of random messages 
x 6 f I , N2 J, can be transformed ( uniformly in N) into a probabilistic algorithm for 
decoding arbitrary RSA-ciphertexts. This deciphering algorithm terminates after at most 
Of 2^ ) elementary steps. 

Proof Under the assumption that the RSA-scheme is safe, Alexi et alii (1984) have 
shown that the log n least significant bits of RSA-messages x are pseudo-random when 
given x d (mod N), d and N. Their proof transforms every algorithm AL, that en-rejects 
RSA-encipherings x d (mod N) of random messages x satisfying x - 0(mod 2 k ), (uniformly 
in N) into a probabilistic algorithm for deciphering arbitrary RSA-ciphertexts. This 
RSA-deciphering procedure terminates after at most 0(2 2k «jj S n s ) elementary steps (i.e. 
Z^-operations, RSA-encipherings and calls for algorithm AL). 

For odd N and all x € [1,N] we obviously have 

x e [l,N2" k ] * 2 k x(mod N) - 0(mod 2 k ) 

-k k k 

(i.e. x e [1,N 2 ] iff the representative of 2 x(mod N) in [1,N] is a multiple of 2 ). 
Therefore the following two distributions are identical for odd N: 
■ x d (mod N) for random x € [l,N2" k ] , 
• 2" kd y d (mod N) for random y e [1,N] satisfying y - 0(mod 2 k ) . 
Moreover we can transform in polynomial time y d (mod N) into 2" kd y d (mod N). Thus an 
£ N -rejection of RSA-ciphertexts x d (mod N) of random messages x € [1,N 2 k ] can be 
transformed (uniformly in N) into an e N -rejection of RSA-ciphertexts y d (mod N) of 
random messages y satisfying y » 0(mod 2 k ). Corollary 2.6 follows from this 
transformation and the above mentioned proof of Alexi et alii (1984). QED 

Notice that the time bound for the RSA-deciphering algorithm of Corollary 2.6 is 
polynomials related to the time bound of algorithm AL provided that k < log n. Hence 
if Hypothesis 2.1 fails, with the interval [1,2'] replaced by the interval [1, N2 H 0 *"!^ 
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then RSA-ciphertexts can be deciphered in probabilistic polynomial time. Also if 

Hypothesis 2.1 fails, with the interval [1,2'] replaced by the interval [1, N2" ^^-l ], then 

RSA-ciphertexts can be deciphered in time e 0 '^. However the fastest known algorithm 

for RSA-deciphering, via factoring N, requires about e°' 89sVn lo * " steps, where 0.693 » 

log2. Thus if Hypothesis 2.1 fails for the interval [1, N2*'- v ^-'], then we can speed up the 
presently known attacks to the RSA-scheme. 

It remains the question whether the computational properties of the distribution x d (mod 
N) change when x ranges over very small integers x. In fact Hypothesis 2.1 does not hold 
for the interval [l,N 1/,d ] since we have x d < N for all x e [l,N 1/d ] and therefore 
RSA-ciphertexts x d (mod N) can easily be deciphered for x e [l,N^ d ]. On the other hand 
the d-powers x d are of order N 2 for almost all numbers x € [1,2']. We conjecture that this 
is sufficient to make the task of deciphering x d (mod N) hard. This is justified because 
inverting the squaring 

x — x 2 (mod N) 

is known to be as hard as factoring N, and the squares x 3 are of order N 5 , too. 

We are going to study the question whether Hypothesis 2.1 should be extended to 
polynomials P(x) that are more general than RSA-polynomials P(x) - x d with 
gcd(d,p(N)) « 1. There is an obvious extension of Hypothesis 2.1 to arbitrary exponents d 
> 2. It seems that the condition gcd(d,¥>(N)) » 1 is not necessary for odd d. This is 
because no extension of the Jacobi-symbol is known for residues x d (mod N) of odd 
prime powers d. On the other hand we must modify the hypothesis for even d since the 
Jacobi-symbol gives efficient information on the quadratic residuosity. We formulate the 
extended hypothesis so that it can be applied in the proof of Theorem 3.1 to establish 
perfect RNG's. For reasons of efficiency we are particularly interested in even exponents 
d and in exponents that are powers of 2. 

Extension to even d of Hypothesis 2.1 For random N e S n . all M • S(2 l ). I - \_2n/d\ , 
and random x S f l.M ] the following holds. 

(1) y :« x^fmod N) is a pseudo-random quadratic residue modulo N. 

(2) Partitioning y into disjoint sections z .» \_y 2""*'j and yfmod 2 n 1 ) yields 

pseudo-random numbers in [ 1, N 2 and [ l,2 n 

d n-l 

(3) z (mod N) and yfmod 2 ' ) are pseudo-independent. 
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Article (1) of the extended hypothesis can be justified by the work of Alexi et alii (1984) 
for the case that N is a Blum-integer, i.e. N is product of two primes p and q such that p 
» 3(mod 4) and q » 3(mod 4). One can prove that distinguishing x d (mod N), for random 
x e [1, N n '] from random quadratic residues modulo N is equivalent, by probabilistic 
polynomial time reductions, to factoring N. Article (2) means that neither z nor y(mod 
2 n ') contains efficient information on the quadratic residuosity of y. Article (3) means 
that the dependence of z and y(mod 2 n "'), via the quadratic residuosity of y, gets hidden 
by the transformation z — z d (mod N). 

Next we consider arbitrary polynomials P(x) of degree d. We are going to show that some 
elementary methods for distinguishing random numbers y € [1,N] and P(x) mod N for 
random x e [l,N^ d ] do not work. Theorem 2.7 is a first step in this direction. This 
problem clearly deserves further study. 

In general we can invert the transformation 

x — P(x) mod N (1) 

only if the factorization N - pq is given. Then, using Berlekamps algorithm for 
polynomial factorization we invert (1) modulo p and modulo q and apply the Chinese 
remainder construction. This can be done in probabilistic time (nd) 0 ^'. Without knowing 
the factorization of N we do not know how to invert (1). In the particular case that P(x) 
divides x*' N ' we can invert (1) provided that we know the cofactor x*^/V(x), but in 
this case we can even factor N. 

Can we invert (1) for small integers x ? If |P(x)| / N is small we can guess z - P(x) and 
factorize P(x) - z. Theorem 2.7 below shows that |P(x)|/N is large for almost all x s 
[l,N 2/d ] provided that P(x) has degree at most d. A degree bound is necessary since there 
exist polynomials of degree N 2/d that vanish on the interval! [l,N 2/d ]. 

Theorem 2.7 Let A.B.d be integers such that M > (BN) 1/d 16Ad. and let P(x) e 7L[x] 
have degree d. Then we have prob[\P(x)\ < BN] < I/A for random x £ / l.MJ. 

2 2 2 

Proof Let x t x k be the distinct real numbers in [O.N] satisfying P(Xj) - B N for 

i.l k. We have k < 2d since P(x) J has degree 2d. We partition the real interval [O.M] 
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into 4Ad intervals I of length M/(4Ad). A fundamental theorem in approximation theory 
(see e.g. Stiefel (1969), p. 236) implies that 

max[P(x) 2 | x e I] , gp*' 
for each of these intervals I. Hence 

maxt |P(x)| x e I ] > (^j) d > BN. 

This shows that every interval I, that contains an integer x satisfying |P(x)| < BN, must 
also contain some point Xi, 1 < i < k . The intervals I that contain some point Xi can 
have at most 

integer points. This accounts for at most a fraction of 

l 2d 

of the points in [l,M]. QED 



3. The Sequential and the Parallel Polynomial Generator 

In this section we build several RNG's on polynomials P(x) of degree d > 2 that have the 
following generator property. The generator property formulates Hypothesis 2.1 for 
arbitrary polynomials P(x). 

Definition The polynomial P(x) has the generator property if for random N S S a , all M 
proportional to N 2/d and random x S [1,M] the number P(x) mod N is pseudo-random in 
[l.N]. 

The generator property means that P stretches random seeds x e [l,N 2/d ] into 
pseudo-random numbers P(x) mod N in the interval [l.N]. By Hypothesis 2.1 
RSA-polynomials P(x) - x d with gcd(d,*>(N)) - l and d > 3 have the generator property. 
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The sequential polynomial generator (SPG) generates a sequence of numbers x - 
Xi,x2,...,Xi,... in [l,N J/d ] that are represented by bit strings of length / :- |_ 2n / d J • The 
output at Xj, Out(Xj) € (0,1)°"' , is the bit string consisting of the a-l least significant 
bits of the binary representation of P(x ; ) mod N. The successor x i+1 of Xj is the number 
corresponding to the other bits of P(x ; ) mod N, 

x i+I :- fP(*i) mod N / 2 n "'l . 
The sequential polynomial generator can be figured by the following infinite tree 



X » Xj 




fifur* of th* i«qu«nti»l polynomial ftntrttor (SPG) 



Let the k -out put of the SPG 

k 

SPG kiP (x,N) - n Out(x0 
be the concatenated output of the first k steps. 

Notice that the most significant bits of P(Xj) mod N are biased depending on the most 
significant bits of N. Even though the most significant bits of P(x0 mod N are not 
pseudo-random we can form from these bits the successor x i+J of Xj. This is because the 
generator property and Hypothesis 2.1 imply that P(x;) mod N is pseudo-random if Xj is 
random in [1,M], for all M proportional to 2'. 

Theorem 3.1 Suppose that P has the generator properly. Then for random N € S n . random 
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x € [l.N } and polynomially bounded k (i.e. k - kfn) - n ' ') the k-output 
SPGk,P( 'x.N) of the sequential polynomial generator is pseudo-random. 

Proof For random N e S„ and random x x e [l,N 2/d ] the number P(xj) mod N e [l.N] is 
pseudo-random. It follows that the bit string Out(x t ) € (0,1}°"' is pseudo-random and 
that the number x 2 6 H.2'] is pseudo-random. We also see that the pair (OutCx]), x 2 ) is 
pseudo-random. It follows from the generator property and since x 2 is pseudo-random 
that 

( Out(x t ) Out(xj), x s ) - ( SPG Jt p(xi,N), x s ) 

is pseudo-random, too. To prove this claim we replace in a statistical test T - (T n ) n eJN 
for z :» ( Out(x,) Out(x 2 ), x s ) the pair ( Out(x 2 ), x 3 ) (the string Out(xi), resp.) by 
random objects generated through internal coin tosses. This transforms T into statistical 
tests for P(X!) mod N (P(xj)mod N, resp.). If z is e„-rejected then either P(x 2 ) mod N or 
P(X]) mod N is (s n /2)-rejected. In either case this yields a statistical test that 
(s„/2)-rejects P(xi) mod N. 

By induction on k the same argument proves that 

( SPG k , P (x,,N). x k+1 ) 

is pseudo-random for every fixed k. The pseudo-randomness also holds if k - k(n) is 
polynomially bounded in n, i.e. k » n 0 ' 1 ^. Using the above argument we can transform a 
test that e n -rejects ( SPG kt p(xi,N), x k+ i ) into a test that («„/k)-rejects P(xO mod N. QED 

It is important that the above proof also applies to polynomials P(x) ■ x d with even d. 
Instead of using the generator property of P we can use the extension to even d of 
Hypothesis 2.1. Speaking informally, it does not hurt that x d (mod N) ranges over 
quadratic residues since the output merely contains the least significant bits of x d (mod 
N) and these bits give no efficient information on the quadratic residuosity of x d (mod 
N). E.g. we can use for random bit generation the polynomial P(x) - x* which yields 
particular efficient RNG's. 

PRACTICAL SEQUENTIAL POLYNOMIAL GENERATORS: The modulus N and the 
number N J/d must be fixed in practical applications. We study the complexity conditions 
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that N and N 2 ' 11 must satisfy to prevent an efficient analysis of the generator output. 

It must be practically impossible to factor the modulus N. For this let N be product of 
two random primes p and q which each is at least 256 bits long. The numbers p-1, p+1, 
q-1, q+1 must each have at least some prime factor which is larger than 2 80 . 

The number N 2/d must be so large that, given x d (mod N), it is practically impossible to 

2 /d 

find x £ [1,N ] by efficient search methods. Pollard (1988) has proposed the following 
method to search for an input x that is product x - uv of two numbers u,v e [l,N a ]: 

1. Generate the set S! - (u d (mod-N) | u € [1,N°]} and sort this set. 

2. Generate the set Sj - (x d v" d (mod N) | v e [l,N a ]} and sort this set. 

3. Test whether Sj and S 2 have a common element. If u d - x d v" d (mod N) e S! n S 2 then 
one has found x - uv. 

Pollard's attack performs 0(N°) arithmetical steps modulo N and stores N a residues 
modulo N. It is most efficient when x is product of two numbers in [l.N 1 ^ 1 ]. In order to 
make Pollard's attack infeasible it is sufficient that N 1 '* 1 is at least 2 8 \ 
Example 1: Let N be n - 512 bits long and let gcd(7,p(N)) - 1. We choose d - 7, P(x) » 
x 7 . Let Out(xj) consist of the 365 least significant bits of P(x,) mod N and let x^i be the 
number corresponding to the 128 most significant bits of P(x ; ) mod N. We compute 
x 7 (mod N) by computing x 2 , x*, x 7 » x • x 2 • x 4 . Only the last multiplication requires 
modular reduction. The other multiplications are with small numbers. The costs of one 
iteration step correspond to one full modular multiplication. Thus this SPG iteratively 
outputs 384 pseudo-random bits at the cost of one full modular multiplication with a 
modulus that is 512 bits long. 

Example 2: Another suitable polynomial is P(x) » x 8 even though this polynomial does 
not have the generator property. The computation of x'(mod N) is particularly easy; we 
compute x*, x*, x* by successive squaring. The SPG with P(x) - x* iteratively outputs 
384 bits at the cost of one full modular multiplication with a modulus N that is 512 bits 
long. 

Efficient public key encoding and decoding. We can use the above RNG's to generate a 
one-time-pad for message encoding. When given the seed x t of the one-time-pad, 
encoding and decoding can be done at a speed of about n(l-2/d) bits per multiplication 
modulo N. A public key coding scheme as e.g. RSA can be used to encode and to decode 
the seed xj. 
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The parallel polynomial generator. The parallel polynomial generator (PPG) generates 
from random seed x e [l,N J/d ] a tree with root x and outdegree at most d/2. The nodes 
of this iteration tree are pseudo-random numbers in [t,N s/d ] that are represented by bit 
strings of length /. 

The successors y(l),...,y(s) of a node y with degree s and the output string Out(y) of node 
y are defined as follows. Let bi,...,b„ be the bits of the binary representation of P(y) 
mod N, with b) being the most significant bit, i.e. 

E b t 2 n "' - P(y) mod N . 

i = l 

We partition the si most significant bits into s block with I bits in each block. The 
corresponding numbers 

/ / 
y(j) :- 1 + E 2 for j - 1 s 

i = l 

are the successors of node y in the iteration tree. The output Out(y) at node y consists 
of the remaining low order bits of P(y) mod N, 

Out(y) - b,i + , •••• b„ . 

For convenience we denote the nodes on level k of the iteration tree as x(ji,...Jk); 
x(ji,...,jk-i) ' s tne direct predecessor of x(jj,...,jk) and ranges from 1 to s^-j - 

"outdegree of jk-i)"- Fo r simplicity we let the outdegree of node x(j )t ...,jk) be a 

function depending on k only; we assume that a 1. 

The parallel polynomial generator can be figured by the following infinite tree 
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x - x(A) 

/ I \ 
x(l) x(2) - x(s 0 ) 




X(IJl.-Jk-i) 

/ \ 

X (1.J2 Jk-1,1) X(l,jj jk-l,Sk-l) 

fi(ur* of th< parallel polynomial ganarator (PPG) 

We define the k-output PPGk,p(x,N) of the PPG with seed x as the concatenation of all 

bit strings Out(x(ji jO) on levels i with 0 < i < k, with respect to any efficient 

enumeration order, as e.g. preorder .traversal, postorder traversal, inorder traversal or 
enumeration by levels. 

In the particular case that all outdegrees are one, i.e. so - Sj - ... - Sk - 1 , the parallel 
and the sequential polynomial generator coincide. The argument of Goldreich, 
Goldwasser and Micali (1986) extends Theorem 3.1 from the SPG to arbitrary PPG's, 
provided that we process at most polynomially many nodes in the iteration tree. This 
yields the following theorem. 

Theorem 3.2 Suppose that P has the generator property. Then for random N e S n , random 
x e [1,2^] the k-output PPCk.P(x.N) of the parallel polynomial generator is 
pseudo-random provided that the length of PPG^.Pi x.N) is polynomially bounded. 

Idea of proof There is a straightforward way to extend the proof of Theorem 3.1. 
Suppose that the k-output PPGk,p(x,N) collects the outputs of F nodes. Then every 

2 /d 

statistical test that e n -rejects PPGk,p(x,N) for random x e [1,N ] and random N € S„ 
can be transformed into a statistical test that (s n /F)-rejects P(x) mod N. QED 
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For the output of the PPG we can use any efficient enumeration for the nodes of the 
iteration tree. To support parallel evaluation we can adjust the shape of the iteration 
tree and the enumeration order to the number of available parallel processors. For m 
parallel processors we can use any iteration tree consisting of m isomorphic subtrees 
attached to the root; we can enumerate, in any order, the m-tuples of corresponding 
nodes in these subtrees. The enumeration within the subtrees can be chosen to support 
fast retrieval; for this we can enumerate the nodes e.g. in preorder traversal or in 
inorder traversal. It is an obvious but important observation that m processors can speed 
the pseudo-random bit generation of the PPG by a factor m. Once we are given m nodes 
on the same level of the iteration tree we can process the subtrees below these nodes 
independently by m parallel processors. These processors do not need to communicate. 

Corollary 3.3 Using m processors in parallel we can speed the pseudo-random bit 
generation of the parallel polynomial generator by a factor m. 

PRACTICAL PARALLEL POLYNOMIAL GENERATORS 

Let N be product of two random primes so that N is 512 bits long. Let P(x) » x 8 . 
Example 3: We construct from random x S [1,2 I2S ] a tree with 4 nodes per level. 

128 8 

1. Stretch a random seed x e [1,2 ] into x (mod N). 

2. Partition the binary representation of x'(mod N) into 4 bit strings x(l),...,x(4) of 
length 128. Put k « 1 and let PPG 1 ,p(x,N) the empty string. 

3. For j - 1,...,4 let x(j l k ) e I m consist of the 128 most significant bits of the binary 
representation of x(j l k ~V mod N, and let Out(x(j l k )) s I 3 g4 consist of the 
remaining 384 least significant bits. 

* k 

4. PPG k+1 p(x,N) - PPG kP (x,N) EE Out(x(j 1*)) 

j=t 

k :» k + 1 , go to 3. 
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x 




\L X- X X 

x(ll) x(21) x(31) x(41) 

xi i J, i 

x(ll-l) x(21-l) x(31-l) x(41~l) 
• * > » 

Fi(ur< of th« PPG of tximpla 5 



Using 4 parallel processors this PPG iteratively generates 4 • 384 - 1536 pseudo-random 
bits in the time for one full modular multiplication with a modulus N that is 512 bits 
long. With current processors for smart cards such a full modular multiplication can be 
done in less than 0.2 sec. Thus 4 parallel processors can generate about 9000 
pseudo-random bits per sec. 

Example 4: We construct from random x € [1,2 1M ] a complete tree of outdegree 2. 

1. Choose a random seed x e [1,2 12 *] for root of the tree. 

2. For every node y € [1,2 1S8 ] of the tree compute the successors y(l), y(2) and the output 
Out(y) by partitioning the binary representation B of y*(mod N) as 

B - Bi Bj Out(y) 6 I? J8 * I«« , 

and compute for i - 1,2 

y(i) 1 + "the number with binary representation Bj". 
The main interest in such a PPG comes from fast retrieval methods. 

Fast retrieval for the PPG. If the PPG has a complete iteration tree one can efficiently 
retrieve substrings of the output. Consider example 4 with a complete iteration tree of 
outdegree 2. Level k of the tree has 2 nodes and the first k levels have 2 - 1 nodes in 
total. Suppose the nodes of the tree are enumerated in preorder traversal. Each node 
yields 256 output bits. To retrieve node y we follow the path from the root to y. This 
requires processing and storage of at most k nodes and can be done at the costs of about 
k full modular multiplications. Once we have retrieved node y and stored the path from 
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the root to node y, the bit string that follows Out(y) in the output can be generated 
using standard retrieval methods at the speed of 256 bits per modular multiplication. For 
most practical applications the depth k will be at most 60 which permits to generate a 
pseudo-random string that is 3.7 • 10 20 bits long. We see that retrieval of substrings is 
very efficient, it merely requires a preprocessing stage of a few seconds to retrieve the 
initial segment of the substring. 

Theorem 3.4 Every node y of depth k in the iteration tree of the PPG can be accessed and 
processed at the costs of 0(k) modular multiplications. 



k 10 20 30 40 50 60 

the # fir«k levels ^ ^ ^ "■«>" "*I0» "V 
* output bits 5.2-10 5 5.7-10 8 5.5-10 11 5.6-10 14 5.8 10 17 5.9-10 20 



Tibia: rttritval ptrformtnct at th< PPG, inmpli 4 



Parallelization and fast retrieval for arbitrary perfect RNG'i. It is an important 
observation that the above methods of parallelization and of efficient retrieval apply to 
every perfect RNG (G„) n eJN- The parallel version of the generator associates an iteration 
tree to a random seed. For example let G„ : I n -» Ij 0 stretch a random strings in I n into 
pseudo-random strings in Ij n . We construct from random seed x € I„ a binary iteration 
tree with nodes in I n . Let x be the root of the tree. Construct the two successors y(l), y(2) 
and the output Out(y) of node y by partitioning G n (y) S I Jn into three substrings of 
length n, 

G n (y) - y(l) y(2) Out(y) . 
Let PGk,a(x) be the concatenated output of all nodes with depth at most k (compare with 
the definition of PPG kiP (x,N)). 

Theorem 3.5 Let (G n )n<=3X be any perfect RNG. Then for random seed x 6 I n 
concatenated output PGk.G( x ) °f alt "odes with depth < k is pseudo-random provided that 
its length is polynomially bounded in n. 

We illuminate our method of parallelization in applying it to some less efficient versions 
of the RSA/Rabin generator. Let N be a product of two random primes such that N is 
512 bits long and gcd(3, ic(N)) - 1. 
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Example 5: From random seed x € [1,N] we generate the sequence of numbers 
X!,x 2 Xj,... e [1,N] as 

Xj » x , Xj+j » x?(mod N) . 

Under the assumption that the RSA-enciphering x — x S (mod N) is safe for the 
particular N, Alexi et alii (1984) have shown that about the 16 least significant bits of Xj 
are pseudo-independent from Xj+j. This suggest the following output of Xj 

Out(xj) ■ "the 16-least significant bits of 

Thus for random x t € [1,N] and under the assumption that RSA-enciphering is safe we 

100 

obtain pseudo-random bit strings Yl Out(Xj) of length 1600. We apply a binary tree 

i=l 

construction to the function 

100 

that stretches the binary representation of xi e [1,N] into Yl Out(Xi) . The binary tree 

has nodes in Isu- The successors y(l), y(2) and the output of node y are obtained by 
partitioning G(y) into two successor strings of length 512 and an output string Outc(y) 
€ Is78- Processing a node of the binary iteration tree costs 200 modular multiplication. 

Example 6: We can accelerate this generator under the reasonable assumption that the 
448 least significant bits of the number x and the number x s (mod N) are 
pseudo-independent for random x e [1,N]. We set 

Out(xj) :» "the 448 least significant bits of x " . 

3 

The assumption implies that Yl Out(x ; ) £ I 1S 4 4 is pseudo-random for random xj e 

i=l 

[1,N]. We apply the binary tree construction to the function 

G : Uu — In** 

3 

that stretches the binary representation of xi e [1,N] into Yl Out(Xj). The successors 

i = l 

y(l), y(2) € I 6 « and the output Out G (y) € Ijjo of node y are obtained by partitioning 
G(y) £ I]j44 into two strings in I S u and Outo(y) e Is20- Processing a node of the binary 
tree costs 6 modular multiplications. 
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Example 7: We can further speed up this generator under the assumption that the 448 
least significant bits of random x e [1,N] and the number x 2 (mod N) are 
pseudo-independent. (It follows from Alexi et alii (1984) that the 16 least significant bits 
of random x € [1,N] and the number x 2 (mod N) are pseudo-independent if factoring the 
particular N is hard. Under this assumption we can replace the iteration Xj :- xf +1 (mod 
N) by X|+i := Xi(mod N). As in Example 5 we associate with a random x e [1,N] a binary 
iteration tree with nodes in Isi2- Processing a node of this tree costs about 4 modular 
multiplications and yields 320 pseudo-random bits for output. 

It is interesting to compare the efficiency of these parallel RNG's with the parallel 
RNG's based on Hypothesis 2.1. For the latter RNG's in examples 1-4 the cost per node 
of the iteration tree is about 1 multiplication modulo N. This shows that the new perfect 
RNG's are more suitable for our method of parallelization and fast retrieval. 



4. Open Problems: Random Number Generators Based on a Prime Modulus 

In Hypothesis 2.1 we need that the modulus N is difficult to factor. This is because given 
the factorization of N and given x d (mod N) we can recover x ■ x d *(mod N) using the 
inverse exponent e - d"'(mod p(N)). Now suppose we are only given the least significant 
bits of x d (mod N). Then we cannot easily recover x even if d"'(mod p(N)) is known. 
This poses the question whether Hypothesis 2.1 can be extended to arbitrary prime 
moduli p. 

Problem 4.1. Let p be an arbitrary prime, 2 0 " 1 < p < 2 a , let d be relatively prime to p-1, 
d > 3 and let / 2 [_ 2a / d J • Ij il true that for random x e [1,2'] and y :- x d (mod p) the n - 
/ least significant bits of y are pseudo-random? 

If this pseudo-randomness does not hold for all primes we ask whether it holds for 
random primes. 

Problem 4.2. Let d > 3, / > L 2n / d J and let P be a random prime such that 2° 1 < p < 2° 
and gcd(d.p-l) - 1. Is it true that for random x e [1,2'] and y x d (mod p) the n-/ least 
significant bits of y are pseudo-random? 

If we replace in Problem 4.2 the prime modulus p by a random composite modulus in S n 
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the pseudo-randomness in question follows from Hypothesis 2.1. These problems are 
important since this would modify Hypothesis 2.1 so that it is no more related to the 
difficulty of factoring the modulus. We consider the random number generators that 
would follow. 

The sequential generator using a prime modulus The SPG generates from a random seed 
x t 6 [1,2 ] a sequence of numbers Xj,x 2 ,...,Xj € that are represented by bit strings of 

n 2/ 

length /. The output at Xj, out(Xi) e {0,1} " , is the bit string consisting of the n-2/ least 
significant bits of the binary representation of xf(mod p). The successor x i+ i of x ( is the 
number corresponding to the next / least significant bits of xf(mod p); these are the bits 
in positions n-/,...,n-2/+l from the left. 

Corollary «4.3 // pseudo-randomness holds in problem 4.2, then the above SPG transforms 

for random prime p with 2 n ~ l < p < 2 n and every k with k * n 0 ^ 1 * a random seed at/ S 

k 

[0 p-IJ into a pseudo-random output l\out(xj). 

i=i 

In practical applications the number / must be so large that, given the a-l least 
significant bits of x d (mod p), it is practically impossible to find x e [1,2']. Now Pollard's 
attack (see section 3) does not work since the most significant bits of x d (mod p) are 
unknown. Therefore it would be sufficient to start with a random seed x 1 that is 64 bits 
long. 

Example 8: Let p be a prime that is 224 bits long, let gcd(p-l,7) » 1, d - 7 and / - 64. 
The output Out(xj) consists of the 96 least significant bits of Xi(mod p), the successor 
Xj+i of Xj is formed by the next 64 least significant bits of x;(mod p). The 64 most 
significant bits of xf(mod p) are not used at all. Each iteration step generates 96 
pseudo-random bits roughly at the cost of one full modular multiplication with a 
modulus that is 224 bits long. 

If we choose a 512 bit long prime modulus p and d - 7, 1 » 64 then we can output 384 
pseudo random bits per iteration. This achieves the same performance that is obtained 
with a composite modulus of the same length, see example 1. However using a prime 
modulus that is about 224 bits long the arithmetic can be done with much smaller 
numbers, and thus the generator can be implemented on a cheaper chip. 
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Abstract 

We present a digital signature scheme based on trapdoor permutations. 
This scheme is secure against existential forgery under adaptive chosen message 
attack. The only previous scheme with the same level of security was based on 
factoring. 

Although the main thrust of our work is the question of reduced assump- 
tions, we believe that the scheme itself is of some independent interest. We 
mention improvements on the basic scheme which lead to a memoryless and 
more efficient version. 

1 INTRODUCTION 

In 1976 DifSe and Hellman proposed that modern cryptography be based on the 
notions of one-way functions (functions that are easy to evaluate but hard to invert) 
and trapdoor functions (functions that are easy to evaluate and hard to invert without 
the possession of an associated secret). 

In a few years, though, it became clear that basing security solely on assumptions 
as general as the existence of one-way or trapdoor functions was indeed a great chal- 
lenge. The first provably good solutions that were found for several cryptographic 
problems were based on simple complexity theoretic assumptions about the com- 
putational difficulty of particular problems such as integer factorization ([GM], [Y], 
[BIMi]). More recently, however, it was found that pseudo-random number genera- 
tion is possible if and only if certain kinds of one-way functions exist ([Y],[Le],[GKL]). 
Similarly we now know that secure encryption is possible if and only if trapdoor pred- 
icates exist. 

Thus Dime and Hellman's original goal was realized for two of the major crypto- 
graphic primitives. Somewhat surprisingly, in sharp contrast with the progress made 

• supported in part by NSF grant DCR-84-13577 and ARO grant DAALO3-86-K-0171 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 200-215, 1990. 
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in encryption and pseudo-random number generation, digital signatures, the other 
fundamental cryptographic primitive, was not yet based on a general assumption. 
The first paper to address the issues of security in a sufficiently general way and 
provide a signature scheme with a proof of security was that of [GMY]. Their results 
and the underlying notions of security were further improved in [GMR]. But both 
their schemes were based on factoring. Actually, [GMR] base their scheme on the 
existence of claw-free pairs, an assumption weaker than factoring but stronger than 
the assumption that trapdoor functions exist. 

Thus, not only did we not know whether digital signatures are available based on 
a general complexity theoretic assumption but, even worse, digital signatures were 
totally linked to a single candidate hard problem. This is particularly unsatisfactory 
as a great many protocols make use of digital signatures and thus the computational 
intractability of factoring becomes a bottleneck in the assumptions of many crypto- 
graphic protocols. 

The contribution of this paper is to free digital signatures from the fortunes of a 
specific algebraic problem by establishing a truly general signature scheme. Namely, 
we prove the following 

Main Theorem: Secure digital signature schemes exist if any trapdoor permutation 
exists. 

Thus, we show once again the feasibility of Diffie and Hellman's original pro- 
posal. To appreciate the generality of our theorem, let us clarify what "secure" and 
"trapdoor" mean. 

By secure we mean "non existentially forgeable under an adaptive chosen message 
attack" as defined by [GMR]. Informally, in an adaptive chosen message attack, a 
polynomial time enemy (who sees the public key) can choose any message he wants 
and request to have it signed. After seeing the desired signature, the enemy can 
choose another message to be signed; and so forth for a polynomial (in the security 
parameter) number of times. Not to be existentially forgeable means that, after the 
attack, the enemy will not be able to sign any new message; that is, he will not be 
able to produce the signature of any string for which he had not previously requested 
and obtained the signature. 

We believe this to be the strongest natural notion of security. In essence, in a 
scheme secure in this sense, signing is not only hard, but remains hard even having a 
"teacher" for it. This is more than we may need in practice, where an enemy may be 
able perhaps to see a few message-signature pairs, but is not able to ask for signatures 
of messages of his choice! 

By trapdoor function we mean a permutation / hard to invert (without knowledge 
of the secret) on a polynomial fraction of the Ar-bit strings (when / has security 
parameter k). Notice that this underlying trapdoor / may by itself be insecure 
against an adaptive chosen message attack; that is, after being given the value of f~ l 
at a few chosen inputs, one may be able to easily invert / on all inputs. Our scheme 
will work with such functions as well. In fact our construction has a strengthening 
effect, and the resulting signing algorithm will be more secure than the trapdoor 
function it uses. 
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We are indebted to [GMR] not only as a source of ideas for the present paper, but 
also for their development and exposition of the notions of signatures and security on 
which we model our own. 

2 SIGNATURE SCHEMES AND THEIR SECU- 
RITY 

In a digital signature scheme, each user A publishes a "public key" while keeping 
secret a "secret key" . User A's signature for a message m is a value depending on m 
and his public and secret keys such that anyone can verify the validity of A's signature 
using A's public key. However, it is hard to forge A's signatures without knowledge of 
his secret key. Below we give a more precise outline of the constituents of a signature 
scheme and of our notion of security against adaptive chosen message attack. We 
follow [GMR] for these notions. 

2.1 Components of a Signature Scheme 

A digital signature scheme has the following components: 

• A security parameter k which is chosen by the user when he creates his public 
and secret keys and which determines overall security, the length and number 
of messages, and the running time of the signing algorithm. 

• A message space which is the set of messages to which the signature algorithm 
may be applied. We assume all messages are binary strings, and to facilitate 
our exposition and proofs we assume that the message space is M.k = {0, 1} , 
the set of all fc-bit strings, when the security parameter is k. 

• A polynomial Sb called the signature bound. The value represents a 
bound on the number of messages that can be signed when the security param- 
eter is k. 

• A probabilistic polynomial time key generation algorithm KG which can be 
used by any user to produce, on input l k , a pair (PK,SK) of matching public 
and secret keys. 

• A probabilistic polynomial time signing algorithm S which given a message m 
and a pair (PK, SK) of matching public and secret keys, produces a signature 
of m with respect to PK. S might also have as input the signatures of all 
previous messages it has signed relative to PK. 

• A polynomial time verification algorithm V which given S, m, and PK tests 
whether 5 is a valid signature for the message m with respect to the public key 
PK. 
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Note that the key generation algorithm must be randomized to prevent a forger from 
re-running it to obtain a signer's secret key. The signing algorithm need not be 
randomized, but ours is; a message may have many different signatures depending on 
the random choices of the signer. 

2.2 Security against Adaptive Chosen Message Attacks 

Of the various kinds of attacks that can be mounted against a signature scheme 
by a forger, the most general is an adaptive chosen method attack. Here a forger 
uses the signer A to obtain sample signatures of messages of his choice. He requests 
message signatures, with his requests depending not only on A's public key but on 
the signatures returned by A in response to the forger's previous requests. From the 
knowledge so gathered he attempts forgery. 

The most general kind of forgery is the successful signing, relative to A's public 
key, of any message m. This is called an existential forgery. (Note that forgery of 
course only denotes the creation of a new signature; it is no forgery to obtain a valid 
signature from A and then claim to have "forged" it). The security we require of 
our scheme is that existential forgery under an adaptive chosen message attack be 
infeasible with very high probability. For qualifications and a more precise expression 
of these notions we resort to a complexity theoretic framework. 

A forger is a probabilistic polynomial time algorithm J- which on input a public 
key PK with security parameter k 

• engages in a conversation with the legal signer S, requesting and receiving 
signatures for messages of his choice, for a total number of messages bounded 
by a polynomial in k (the adaptive chosen message attack), 

• then outputs S purporting to be a signature with respect to PK of a new 
message m (an attempt at existential forgery). 

We say JF is successful if the signature it creates is a genuine (i.e. V(S,m, PK) = 
true) forgery. We say that a signature scheme is Q-forgable (Q a polynomial) if there 
exists a forger T who, for infinitely many k, succeeds with probability more than 
on input a public key with security parameter k. The probability here is over the 
choice of the public key, which is chosen according to the distribution generated by 
KG, and over the coin tosses of T and S. 

The security property we are interested in consists of not being Q-forgable for any 
polynomial Q. 

3 TRAPDOOR PERMUTATIONS 



We propose here a relatively simple complexity theoretic definition of trapdoor per- 
mutations which nevertheless captures all the known candidates for trapdoor permu- 
tations. 
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Definition 3.1 A triplet (G,E,I) of probabalistic polynomial time algorithms is a 
trapdoor permutation generator if on input 1* the algorithm G outputs a pair of k bit 
strings (x, y) such that 

(1) The algorithms E(x, •) and I(y, •) define permutations of {0, l} fc which are in- 
verses of each other: I(y, E(x, z)) = z and E(x, I{y,z)) — z for all z € {0, 1} . 

(2) For all probabilistic polynomial time (adversary) algorithms A(.,.,.) and for all 
c and sufficiently large k, 

Pr[E{x,A(l k ,x,z)) = z]<k' c 

when z is chosen at random from {0, l} k and the pair (x, y) is obtained by running 
the generator on input 1* (the probability is over the random choice of z and the 
coin tosses of G and A). 
The algorithms G, E and / are called the generating, evaluating and inverting algo- 
rithms respectively. 

Definition 3.2 A function / is a trapdoor permutation with security parameter k if 
there is a trapdoor permutation generator (G,E,I) such that / = E(x,-) for a pair 
of strings (x,y) obtained by running G on input 1*. 

.Notice that as defined above, a trapdoor permutation with security parameter 
k has domain all of {0,1}*. This is not the case with known candidates such as 
RSA ([RSA]) or the trapdoor permutations of [BBS] where the domain is a subset of 
{0, l} fc . Also notice that the probability of inversion that we require in part (2) of 
the definition (k~°) looks very low. Both of these, though, are not restrictions; all the 
known candidates can be fit into our scenario by using a cross product construction 
as in [Y]. This works as follows. 

Given a trapdoor permutation / on a subset D of {0, l} fc such that \D\ > 2 k • k~ d 
for some d and / is hard to invert on all but a polynomial fraction of D, extend / 
to {0,1}* by defining it to be the identity function on {0,l} fc — D. This yields a 
permutation / on {0, 1}*. Define a function F on 

{0,l} fc x ... x {Q,l} k 

k d+2 

by F(xi, . . . , x k d+i) = (f(xi), ... , /(x fc j+2)). F is a permutation and Yao shows that 
it satisfies part (2) of Definition 3.1 given our assumptions about the original /. 

4 AN OVERVIEW OF THE SCHEME 

We present here an overview of the scheme and a sketch of the proof of security; the 
succeeding sections gives a more complete description and proof. In this section, as 
well as in the complete scheme we describe later, we disregard efficiency completely 
for the sake of simplicity. 
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4.1 Background 

In [La] Lamport suggested the following method for signing a single bit: make public 
/ and a pair of points x° and x 1 and keep secret f~ l . The signature of a bit b € {0, 1} 
is then f~ 1 (x b ). The drawback of this method is that the number of bits that can 
be signed is limited to the number of pairs of points that are placed in the public 
key. Our scheme can be considered an extension of this type of scheme in that it 
removes the restriction on the number of bits that can be signed while using a similar 
basic format for signing a single bit. We do this by regenerating some of the public 
key information every time we sign a bit. [GMR] too uses the idea of regenerating 
some part of the information in the public key, but with a different, non Lamport 
like underlying signing method. Merkle ([M]) presents another way of extending the 
Lamport format; his more pragmatically oriented scheme, though, is not concerned 
with proofs of security. 

In the scheme described below, and then in more detail in §5, we reverse the roles 
of functions and points in the Lamport format with respect to signing a single bit, and 
then sign new points as needed. (A dual and equivalent scheme consists of directly 
using the Lamport format but signing new functions instead; this was in fact the way 
our scheme was presented in [BeMi]). 

4.2 The Signature Scheme 

A user's public key in our scheme is of the form 

PK = {fo,o , /o,i , • • • , fk,o , fk,i , a) 
where the /y are trapdoor permutations with security parameter k and a is a random 
k bit string (we refer to k bit strings equivalently as points or seeds). His secret key 
is the trapdoor information ffj. A message is signed bit by bit. The first bit b\ is 
signed by sending /^(a) and a signature of a new seed a\. The signature of the 
k bit string ct^ consists of sending, for each i = l,...,k, either /; _ o 1 ( Q; ) or /;7i ( a ) 
depending on whether the i-th bit of ai was a 0 or a 1. 

At this point not only has the bit b\ been signed, but the public key has been 
"recreated 1 '. That is, another bit can now be signed in the same manner with a x 
playing the role of a above. This process can be continued to sign a polynomial in k 
number of bits. The signature of a message is thus built on a chain of seeds in which 
each element of the chain is used to sign its successor. 

4.3 Why is this Secure? 

Suppose J- is a forger (as described in §2.2). We derive a contradiction by showing 
that the existence of !F implies the existence of an algorithm A which inverts the 
underlying trapdoor permutations with high probability. 

Given a trapdoor permutation g with security parameter k and a k bit string z, 
the algorithm A must use the forger to find <7 _1 (z). y4's strategy will be to build a 
suitable public key and then run T and attempt to sign the messages requested by 
J- . From T 's forged signature will come the information required to invert g. 
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The public key 

PK = (/ 0i0 , / 0 ,i , . • ■ , fk,Q, fk,i,a) 
that A creates has f n>c = g for some n and c. All the other functions are obtained 
by running the generator, so A knows their inverses. In the course of signing A will 
use a list of seeds of the form g(ct t ), except for some one stage at which it will use as 
seed the given point z. So A knows how to invert all the /,j at all the seeds with the 
single exception of not knowing f^K*)- At this point, it is possible that A will not 
be able to sign a message that J 7 requests. Specifically, A will not be able to sign a 
message m if computing the signature would require knowledge of g~^(z). But this 
is the only possible block in A's signing process, and it will happen with probability 
only 1/2. So A succeeds in responding to all T 's requests with probability 1/2. 

By assumption T will now return the signature of a message not signed previousley 
by A. The placement of the original function g in the public key, as well as the 
placement of z in the list of seeds, are unknown to J- (more precisely, the probability 
distribution of real signatures and A's signatures are the same). With some sufficiently 
high probability, the signature of the new message will include the value of g~ l (z) 
which A can output and halt. 

5 THE SCHEME AND PROOF OF SECURITY 

5.1 Preliminary Notation and Definitions 

The i-th bit of a binary string i is denoted (x); while its length is denoted |x|. 

If a = (cti, . . . , a,) and 6 = (bx, . . . , bj) are sequences then a*b denotes the sequence 
(a l5 <n, , bj). If a = (a l7 . . . , a,) is a sequence and j < i then (ax, ... , a,) is 

called an initial segment of a. 

We recall [GMR]'s notation and conventions for probabalistic algorithms. If A is a 
probabalistic algorithm then A(x, y, ■ ■ ■) denotes the probability space which assigns 
to the string <r the probability that A, on input x,j/, outputs a. We denote by 
[A(x,y, . . .)} the set of elements of A(x, y, . . .) which have non-zero probability. We 
denote by x <— A(x, y, . . .) the algorithm which assigns to x a value selected according 
to the probability distribution A(x, y, . ..). If 5 is a finite set we write x «— 5() for 
the algorithm which assigns to x a value selected from S uniformly at random. The 
notation 

P(p{x, y,...) : x *- S; y «- T; . . .) 
denotes the probability that the predicate p(x,y, . . .) is true after the (ordered) ex- 
ecution of the algorithms x *— S, y *— T, etc. As an example of this notation, part 
(2) of Definition 3.1 would be written as 

P(E(x, u) = z : (x, y) «- G(l k ); z <- {0, l} fc ; u - A{\\ x, z)) < k~ c . 

We let PPT denote the set of probabalistic polynomial time algorithms. We assume 
that a natural encoding of these algorithms as binary strings is used. 

For the remainder of this section we fix a trapdoor permutation generator (G, E, I). 
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With some abuse of language we will often call x a function and identify it with E(x, •). 
In the scheme we now proceed to describe we will desregard efficiency completely in 
order to simplify the proof of security. 

5.2 Building Blocks for Signing 

The signing algorithm makes use of many structures. This section describes the basic 
building blocks that are put together to build signatures. 

Let (xj, yj) € [(?(!*)] for i = 0, . . . , k and j = 0,1, and let x = (xg, x l Q , . . . , x%,x\), 
V = (y°o, Vl---,yl v\). Let a, a' € {0, 1}*. 

Definition 5.1 A seed authenticator (a';a) £ is a tuple of strings (a 1 , a, z l , . . . , z^) 
for which 

E(x\ a) \z i ) = a' , 

for all i = 1, . . . , k. 

Definition 5.2 A bit authenticator (a 1 ; b) s is a tuple of strings (a',b, z) such that 
b E {0,1} and E(x b 0 ,z) = a'. 

Definition 5.3 An authenticator (a';c) f is either a seed authenticator or a bit 
authenticator. In the authenticator (a'; c) 2 , a' is called the root of the authenticator, 
c is called the child of the authenticator, and x is called the source of the authenticator. 

Given x and a tuple purporting to be an authenticator (a'; c) 2 , it is easy for anyone 
to check that it is indeed one. However given a', c, and x it is difficult to create an 
authenticator (a 1 ; c) 2 without the knowledge of y. 

Definition 5.4 A sequence F = (F 1 , F") of seed authenticators is a spine start- 
ing at a' if 

• a' is the root of F 1 . 

• for i = 1, . . . , p - 1, the root of F i+1 is the child of F i . 

Definition 5.5 A sequence B = (B 1 ,...,B q ) of bit authenticators is s-attached to 
the spine F = (F 1 , F p ) if the root of £' is equal to the child of for 
i = 1, . . . , q. A sequence of bit authenticators B = (B 1 , . . ., B q ) is attached to the 
spine F = (F 1 , . . . , F p ) if it is ^-attached for some s. 

5.3 Generating Keys 

The key generation algorithm KG does the following on input 1*: 

(1) Run G a total of 2k + 2 times on input 1* to get a list of pairs (xf , ) {i = 
0,...,A:, j =0,1). 

(2) Select a random k-bit seed a € {0, 1}*. 

(3) Output the public key PK = (l fc , x, a, Sb) where f = {x%, x\,..., x°, x\) and Sb 
is the signature bound. 

(4) Output the secret key SK = y = (yg, yl,...,y° k , y\). 
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Figure 1: A signature corpus (left), and a signature of a message m (right) 

5.4 What is a Signature? 

Definition 5.6 A signature of a message m € A4jt with respect to a public key 
PK = (1*, f , a, 5 B ) is a triple (F, B, m) where F = (F 1 ,..., F pk ) (p > 1) is a spine 
and S = (B 1 , . . . , B k ) is a sequence of bit authenticators such that 

• B is ((p - l)k + l)-attached to F. 

• F starts at a. 

• For alH = 1, . . . , k the child of B* is (m),-. 

• The common source of all the authenticators is x. 

Figure 2 shows a schema of a signature for a message m with respect to a public 
key (1*, 1, ao, 5 S ); here F i = (a;_i; a { ) g (i = 1, . . . ,pfc) and B' = (a (p _i) i+ ,-; (m),-) f 
(«' = !,-•• ,*)■ 

5.5 The Signing Algorithm and Signature Corpus 

Let PK — (l k ,x,ctQ, Sb) and SK = y be a pair of public and secret keys. We 
presume that the signing procedure S is initialized with the values of PK and SK 
and has already signed messages mi, ... , m,-_i and kept track of the signatures 5i = 
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(Fi, B x , mi), . . . , S,-_i = {Fi.i, m,_i) of these messages. We let F 0 be the empty 
sequence. To compute a signature 5; = (Fi, 5,,m,) for m,-, where i < Ss(fc) and 
m,- € Mj, 5 performs the following steps: 

(1) Set / = (t - l)k, and select k seeds a ;+1 , . . . , a (+i € {0, at random. 

(2) Form the seed authenticators 

F j = (a j . 1 ;a j ) 1 , 
for j = 1 + 1, ...,/ + it, and let F be the spine (F i+1 , . . . , F l+k ). 

(3) Form the bit authenticators 

B 3 = (a,+j;Wj) f , 
for ; = 1, . . . , fc, and let B i = {B 1 ,..., B k ). 

(4) Let Fi — Fi_i * F and output 5,- = (F, m;) as the signature of m;. 

Figure 1 shows a schema of the data structure constructed by the signing procedure 
as described above. This structure will be called a signature corpus below. 

Definition 5.7 Let 

{F 1 ,B 1 ,m 1 ),...,{F i ,B i ,m i ) 
be a sequence of the first i signatures output by our signing algorithm <5, for some 
i > 0. Let F = Fi and B = B x * ... * I?,-. We call signature corpus the triple 
C = (f,5,(m 1> ...,m i )). 

Note that a signature corpus (F,B,M) is a spine F - (F 1 , . . .,F P ) to which is 
1-attached the sequence of bit carrying items B = (B 1 , ... , B p ). 

Definition 5.8 Let Z = (F, B, M) be either a single signature or a signature corpus, 
relative to a public key PK = x ,a 0 , S B ), where F = (F 1 , . . . , F p ) and B = 
{B\...,B"). Then 

(1) F(Z) denotes F, the spine of Z, and B(Z) denotes B, the sequence of bit au- 
thenticators of Z. The authenticators in F are called the seed authenticators of 
Z and the authenticators in B are called the bit authenticators of Z. 

(2) The set of authenticators of Z is A{Z) = {F 1 , . . . , F p } U {B\ B q }. 

(3) The chain of seeds of Z, denoted P(Z), is the sequence of seeds which form the 
roots and children of the seed authenticators of F. That is, P(Z) — (a 0 , c*i, . • • , a p ), 
where a,- is the child of F* for all i = 1, . . . ,p. 

(4) The set of roots of Z, denoted R{Z), is the set of roots of the seed authenticators 
of Z. 

(5) The tuple M of messages signed by Z is denoted M(Z). (If Z is the signature of 
a single message m, we just let M(Z) = m). 
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5.6 The Verification Algorithm 

Given a public key PK and something purporting to be a signature of a message m 
with respect to PK, it is easy to check whether this is indeed the case. It is easy 
to see that checking whether a given object really has the form of definition 5.6 only 
requires knowledge of the public key. 

5.7 Extracting Information From a Forgery 

As indicated in the overview of §4.3, forgery must eventually be used to extract 
information about the inversion of a trapdoor function. The preliminary definitions 
and lemmas here are devoted to charecterizing the structure of a forgery relative to 
a given corpus. 

Lemma 5.1 Let C be a signature corpus relative to a public key PK = (l k , x,a, Sb) 
and let 5 be a signature, relative to the same public key, of a message m not in M{C). 
Then there is an a' in P(C) such that one of the following holds: 

(1) There is a pair of seed authenticators, {a';hi) 2 in F(C), and (a'; ^2)2 ln F(S), 
such that hi ^ h 2 . 

(2) a' is not in R(C) (i.e. a' is the child of the last authenticator in the spine) and 
there is a seed authenticator (a 1 ; h) 3 in F(S). 

(3) There is a pair of bit authenticators, (a 1 ; in B(C), and {a 1 ; 62}^ in B(S), such 
that bi ^ 6 2 • 

Proof: Suppose neither (1) nor (2) holds. Since F(S) and F(C) both start at a, 
F(S) must be an initial segment of F(C). Thus P(S) is an initial segment of P(C). 
Since B(S) is attached to F(S), the roots of all the bit authenticators of S are in 
P(S) hence in P(C). So if P(C) = (a 0 , . . . , a pk ) then there is some i such that 
(<*(,•-!)*+;; (mi);)* € B{C) and (a (i _i )fc+i ; {M{S)) i ) 2 <E B(S) for all j = 
where m; £ M. k is the i-th message in the corpus. But M(S) is not in M(C), so 
there is some j such that (M(S))j / (m,-),-. Let bi = (m;)j, 62 = (M(S))j, and 
a' = a(i_i) k +j. Then (a'; 62)2 € B(S) and {<*';&!)*€ B(C) are the desired bit au- 
thenticators which give us part (3) of the lemma. U 

Let PK — (\ k , x, a, Sb) be a public key, where x = (xq, Xq, . . . , x°, x\), and let C 
be a signature corpus relative to PK. We introduce the notion of a pair (a', z^) being 
unused in C, where a' is in P(C). Informally, we would like to say that (a',arf) is 
unused if the authenticators in the corpus C do not contain E(x{, •) _1 (a'). That is, 
the inversion of E{x\, ■) at a' was not required in the signing process. For technical 
reasons however, the formal definition that we use is rather to say that the inversion 
of E{x i ~\-) was required in the signing process. Boundary conditions (being at the 
end of the spine) complicate things a little further. 

Definition 5.9 Let PK, C be as above. We say that (a',x J t ) is unused in C if a' is 
in P{C) and one of the following holds: 
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(1) There is a seed authenticates (a'; A} 2 in A(C) with (A),- ^ j. 

(2) j ; 7^ 0 and a' is not in iZ(C). (So a' is at the tail end of the spine F(C)). 

(3) i = 0 and there is a bit authenticator (a'; b) g in A(C) with b ^ j. 

With , C as above, let S be the signature of a message m not in M(C), relative 
to PK. We show that this signature could not have been created without inverting 
E{x\,-) at a' where (a',X;) was some unused pair in the corpus C. 

Lemma 5.2 There is a polynomial time algorithm which takes as input PK, C, and 
S as described above, and outputs a triple of the form (o/,xJ,u) such that the pair 
(a',x\) was unused in C and E{x\,u) = a'. 

Proof: Let a' be the seed of Lemma 5.1. The proof breaks down into the cases 
provided by Lemma 5.1, and we number the cases below accordingly. Note that given 
C and S it is possible for an algorithm to determine which of the cases of Lemma 5.1 
applies. 

(1) Since h x ^ h 2 we can find an i such that (Ai)< ^ Set j = (h 2 )i- The 
authenticator (a'; h 2 ) 2 provides us with the value E{x J i , -) -1 (o!'), and by the first 
part of Definition 5.9 the pair (a', r-) is unused in C. 

(2) Set i to any value between 1 and k and set j = (A),-. The authenticator (a'; h) s 
provides us with the value E(x\, •) _1 (a'), and the second part of Definition 5.9 
says that (a 1 , xf) is unused in C. 

(3) Set i = 0 and j = b 2 . The authenticator {a'; £2)2 provides us with the value 
E(x\, -^(a') and the last part of Definition 5.9 says that (a 1 , xj) is unused in C. 
□ 

5.8 Proof of Security 

We are finally ready to prove 

Theorem 5.1 Under the assumption that (G, E, I) is a trapdoor permutation gener- 
ator the above signature scheme is not even Q-forgable (see §2.2), for all polynomials 
Q and all sufficiently large k. 

The proof of the theorem is by contradiction. Assume the existence of a polynomial 
Q, an infinite set K, and a forger J-(-) such that for all k £ K, T is succesful in forging 
with probability > on input a public key chosen according to the distribution 
induced by KG. Our goal is to construct an algorithm A(-,-,-) € PPT which on 
input l k ,x,z uses T to find E(x, -) -1 (.z). 

A operates as follows on input l k ,x,z: 

(1) Let n «- {0, . . . , fc}(), c - {0, 1}(), and f «- {0, ... , kS B (k)}(). 

(2) Run G a total of 2 k + 1 times on input 1* to get (x^, yj ) for i — 0, . . . , k, j = 
0, 1, ^ (n, c). Let x° = x, and let x = (x°, xj, . . . , x°, x\). 
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(3) Pick kS B (k) random k bit strings (3 0 , ■ ■ ■ , A-i, A+i> • • • , Pks B (k), and then create 
the seeds 

_ f z if I = t 

ai ~ \ E(x,0i) otherwise. 

Let P be the sequence (ao, an, . . . , ctks B (k))- 

(4) Let Pi^ = (l fc ,x,a 0 ,5 s ). 

(5) Invoke T on the pubUc key PK, and attempt to sign the requested messages in the 
same manner as the signing procedure S, but using the already generated seeds 
from P where S would pick random new seeds. The inverses of all but one of the 
functions in x are known, and, for that function x c n , the value E(x c n , = /?; 
is known for all values I ^ t. If either (a t+1 ) n = c, or n = 0 and the sequence 
of requested messages has c in the i-th position, it will not be possible to sign. 
Output 0 and halt in this case. If all !F 's requested messages are succesfully 
signed, let C be the corpus of these signatures. 

(6) If T does not now output a signature of a message not in M(C), output 0 and 
halt. Otherwise, invoke the algorithm of Lemma 5.2 on input PK, C, and the 
signature S output by T . This algorithm outputs a tuple (a', x',u). Now output 
u and halt. 

We consider the distribution of A's output when its inputs are chosen at random; 
that is, we consider the result of executing 

(x,y)-G{l k );z<-{0,l} k Q;u^A(l k ,x,z). 

Lemma 5.3 The public key PK created in step 4 has the same distribution as that 
induced on public keys by the key generation algorithm KG. 

Proof: The functions x\ of step 2 were obtained by running G, as was x, so f has 
the right distribution. The /?; were chosen at random in step 3. Since E(x, •) is a 
permutation, the seeds a; are also randomly distributed. Since a 0 is either one of 
these or the randomly chosen z, it is randomly distributed. So PK has the same 
distribution as generated by KG (§5.3). D 

Lemma 5.4 

(1) The distribution of signatures generated by the conversation between T and A 
is, at every stage in the conversation, the same as the distribution that would be 
generated in a conversation between J- and the legal signer <S. 

(2) With probability > \ all of T 's requests are succesfully signed. 

Proof: As noted above, the public key has the right distribution. Now the steps used 
by A to sign are exactly those of the signing algorithm S, with the one exception noted 
in step 5 of the description of A. The signatures received by T upto this crucial point 
have the same distribution as the legal signer would have generated. Upto this point 
then, T sees no anomaly. Now at the next step A must invert either E{x° n , •) or 
E{x\, •) at a t . Since c was chosen at random, we can conclude that this stage is 
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passed with probability |. Moreover, this and future signatures are still with the 
right distribution. Both parts of the lemma are thus verified, d 

Suppose all T 's requests are signed. By the preceding lemma, the corpus gener- 
ated has the same distribution as would have been generated with the legal signer. 
By assumption we know T forges with probability on this distribution. Since the 
signing was accomplished with probability > \ we obtain a forgery S with probability 



- 2Q(k) ' 

The next step is to show that the u output by A is equal to E(x,-)~ 1 (z) with suffi- 
ciently high probability. 

Note that P(C) is an initial segment of the sequence P. If the requested messages 
added together to a length of more than t bits, then z is in P(C). The signing process 
is accomplished only if inverting E(x, •) = E(x%, •) at z is avoided, so if z is in P(C) 
then (x,z) is unused in C. We state this as a lemma. 

Lemma 5.5 If A does succeed in signing all of JF 's requests, and if z is in -P(C), 
then (z, x) is unused in C . 

Proof: If z is the last seed in the sequence P{C) and n > 0 then we have case (2) of 
Definition 5.9. Otherwise, since the signing was accomplished, either (1) or (3) must 
hold. □ 

By Lemma 5.2, u = E{x\, -) _1 (q!') for some pair (a', x^) unused in C. We would 
like the pair to actually be (z, x), for then u = E{x,-)~ 1 (z). The randomization of 
the n and t parameters (step 1) serves to capture this event with probability at least 

1 

(1 + Jfc)(l + kS B (k)) ' 

We conclude that for all k € K, 

P(E(x,u)=z : (x iy )*-G(l k y,z^{0,l} k ();u^A{l k ,x t z)) 



~ 2Q(fc)(l + fc)(l + fcSi,(fc)) ' 
contradicting the fact that G is a trapdoor permutation generator. This completes 
the proof of Theorem 5.1. 

6 VARIATIONS AND IMPROVEMENTS 

The signatures produced by the signing algorithm of the previous section are far from 
compact: signatures with respect to a public key PK = (l h ,x, a, 5g) could reach 
lengths of 0(fc5e(^)). We describe briefly here how tree structures in the style of 
[GMR] could replace the linear structures of the above scheme to produce signatures 
of length 0(k log Ss(fc)). The size of signatures in the modified scheme will not 
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only be smaller but will be independent of the signatures of previous messages. The 
modified scheme retains the security properties of the original one. 

The public key now contains 2A; + 1 pairs of randomly chosen trapdoor functions 
of security parameter k together with, as before, a single seed. Each seed is used to 
sign two others, which become its right and left children in the tree; the first k pairs 
of the above functions are used to sign the left child, and the second k pairs to sign 
the right child. The tree is grown to height k log Ss(fc). Each leaf can then be used 
as the root of a linear chain of length k which signs a single message. The proof of 
security needs little change for the modified scheme, and details are left to the final 
paper. 

The assumption that messages are always of length equal to the security parameter 
can be removed: to sign messages of arbitrary length it suffices to first encode them 
with a subsequence free encoding. This is an encoding which guarantees that no string 
is a substring of the concatenation of any number of other strings, and such encodings 
are easy to construct. 

Further, the scheme, in its tree version, can be made memoryless (as in the mod- 
ifications of [Go] and [Gu] to the [GMR] scheme); the same ideas used by [GMR] 
(attributed to Levin), and extended in [Go], can be applied here. The main tool 
is the use of pseudo-random functions ([GGM]) whose existence is implied by our 
assumptions. 
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ABSTRACT 

At EUROCRYPT'88, we introduced an interactive zero-knowledge protocol (Guillou and 
Quisquater [13]) fitted to the authentication of tamper-resistant devices (e.g. smart cards, 
Guillou and Ugon [14]). 

Each security device stores its secret authentication number, an RSA-like signature 
computed by an authority from the device identity. Any transaction between a tamper- 
resistant security device and a verifier is limited to a unique interaction: the device sends 
its identity and a random test number; then the verifier tells a random large question; and 
finally the device answers by a witness number. The transaction is successful when the test 
number is reconstructed from the witness number, the question and the identity according 
to numbers published by the authority and rules of redundancy possibly standardized. 

This protocol allows a cooperation between users in such a way that a group of cooper- 
ative users looks like a new entity, having a shadowed identity the product of the individual 
shadowed identities, while each member reveals nothing about its secret. 

In another scenario, the secret is partitioned between distinct devices sharing the same 
identity. A group of cooperative users looks like a unique user having a larger public 
exponent which is the greater common multiple of each individual exponent. 

In this paper, additional features are introduced in order to provide: firstly, a mutual 
interactive authentication of both communicating entities and previously exchanged mes- 
sages, and, secondly, a digital signature of messages, with a non-interactive zero-knowledge 
protocol. The problem of multiple signature is solved here in a very smart way due to the 
possibilities of cooperation between users. 

The only secret key is the factors of the composite number chosen by the authority 
delivering one authentication number to each smart card. This key is not known by the 
user. At the user level, such a scheme may be considered as a keyless identity-based integrity 
scheme. This integrity has anew and important property: it cannot be misused, i.e. derived 
into a confidentiality scheme. 

Keywords: cryptology, factoring, complexity, randomization, zero-knowledge in- 
teractive proofs, identity-based system, public key system, integrity, identification, 
authentication, digital signature. 
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1 Introduction 

Some problems are very asymmetric: although only inefficient methods are known 
for solving these problems, any proposal is easily tested in order to know whether 
it is a solution or not. There are two methods in order to prepare an instance of 
such a complex problem: 

— either you prepare the instance by yourself; 

— or an authority does it for you, in relation with your identity. 

In the first method, each user picks a trap at random, and then deduces the 
text of a problem having this trap as solution. This method leads to systems where 
each user has his own secret key. An authority manages the system by registering 
the users and their public keys in a publicly available register. 

Factoring large integers is a pretty well known example of such a complex 
problem. The following operations are rather easy to do: selecting at 
random two large prime integers and computing their product. But 
only inefficient methods are known to factor large composite integers. 
Outside number theory, many other complex problems are available. 

In the second method, each user relies upon a trusted authority, like a bank, 
a credit card company, a telephone operator or a transportation authority; after 
the signature of a contract specifying the rights and obligations of each party, the 
authority delivers to the new user a tamper-resistant security device, e.g. a smart 
card, storing a secret identity-based authentication number. This alternate method 
leads to a keyless system. Only the authority has a secret key while each card holds 
its own authentication number which is not a trap. Other identity-based systems 
have been investigated (Shamir [17], Desmedt and Quisquater [4], Quisquater [15]), 
but our approach is different: here we are authenticating the security device only, 
not its holder. 

How, without revealing it, can a tamper-resistant security device convince any 
verifier that it knows the authentication value corresponding to its identity? 

According to the zero-knowledge techniques (Goldwasser, Micali and Rackoff 
[8], Goldreich, Micali and Wigderson [10]), the device convinces the verifier without 
revealing anything on the specific value of the authentication number which remains 
thus an efficient identification element as long as the secret is unrevealed and as 
long as the (instance of the) problem remains unsolved. The knowledge of the 
authentication number makes the difference between the tamper-resistant device 
and the outside. 

After an interactive process, the verifier has nothing else but an intimate con- 
viction which cannot be transmitted to anybody else. The interactive process may 
be used, not only to check the identity of the device, but also to check messages 
endorsed by the device. This method of proof is "non-transitive". 
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After a non-interactive process, like a signature, the verifier is convinced and can 
convince a judge that a genuine device signed the message. A knowledge is clearly- 
transmitted along with each signature; but while proving that the device knows its 
authentication number, the signature still transmits no knowledge at all on specific 
value of the underlying authentication number which may be used indefinitely as 
an identification element of the device. 

The zero-knowledge techniques are very efficient in various processes aiming at 
protecting the integrity of data ans systems: 

identification, authentication and signature. 

2 The GQ authentication scheme 

We found an interactive protocol aiming at verifying the presence of a secret authen- 
tication number in a tamper-resistant security device claiming its identity (Guillou 
and Quisquater [13]). 

Each tamper-resistant security device (e.g. a smart card) holds its unique au- 
thentication number B related to its identity I by the following simple equation: 

B v ■ J mod n = 1, with J = Red(I), 

where, 

n: is a composite number; 

v: is an exponent, both published by the authority and known to each verifier; 

J: is the "shadowed" identity of the device, that is to say a number as large as rc, 
including the claimed identity J, half shorter than n, completed by a redun- 
dancy (the shadow) depending on I (Guillou and Quisquater [11], Guillou, 
Davio and Quisquater [12]). Redundancy rules Red (or how constructing J 
from I) axe published or preferably standardized. 

NOTE: Let us mention that ISO is standardizing a "digital signature 
scheme with shadow " (see ISO-DP 9796) in the Working Group 
JTC1/SC20/WG2 (public-key techniques). 

The authentication transaction between the verifier and the device is limited to a 
unique interaction, which was not the case with the previous proposals (Fiat-Shamir 
[5], [6]). Here is the interactive protocol described in [13]: 

1. The card I transmits its identity / and a test number T which is the v** 1 
power in Z n of an integer r picked at random in Z*. 

2. The verifier asks a question d which is an integer picked at random from 0 to 
v - 1. 
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3. The card I" sends a witness number t which is the product in Z n of the integer 
r by the power of the authentication number B. 

4. In order to verify such a witness number t, the verifier computes the product 
of the d** 1 power of the shadowed identity J by the v** 1 power of witness t, 
that is: 

J d • t" mod n = J d -(r- B d ) v mod n 
= (J • B v ) d ■ r° mod n 
= T. 

The proof of security relies on three basic facts: 

— A device knowing the authentication number can easily answer correctly any 

question. 

— A lucky guesser has an evident winning strategy by choosing first any witness 

number before deducing a test number according to the guessed question. 

— Knowing two correct witness numbers according to any two different questions 

for the same test number (anyone) reveals the authentication number. 

Let us define a cheater as a device trying to fool the verifier, while not knowing 
the specific value of B. 

On one hand, any cheater having guessed the question d can obviously prepare 
a good looking pair T and t by, firstly, picking t at random in Z n and, secondly, 
deducing T by computing exactly as the verifier will do. 

On the other hand, having two witnesses t' and t" corresponding to two different 
questions d' and d" for the same test number T gives a significant (and generally 
total) knowledge about the authentication number B (see the proof in the next 
section). 

Any cheater is thus able to prepare in advance exactly one witness number (at 
least one, but not two). A lucky cheater thus fools the verifier by guessing one 
question amongst v possible questions. At each transaction, the verifier has (v — 1) 
chances on v to defeat a cheater. Thus, when the size of v, also named depth of the 
authentication number, is sufficient to reach directly the required level of security, 
there is no need to repeat the interaction. 

In the GQ scheme, the size of required memory and the volume of transmitted 
data are reduced to minimum minimorum. It is well fitted to smart card authenti- 
cation. 

3 Security of the GQ scheme 

Now let us consider more precisely the conditions on v and the factors of n in the 
GQ scheme. Let us consider that n has only two prime factors: p and q. 
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Let us consider that v is an odd integer which is an RSA-like exponent, so that: 
gcd(p - l,v) = gcd(g — l,i>) = 1. The case where v is an even integer integer will 
be considered in the full paper; the exponent v may even be a power of two. 

Let us consider carefully the verification formula when v is an RSA-like exponent: 

? d {t) = J d -t° mod n. 
A collision is a set of four integers: 

{t',t",d',d"} t',t" in Z*; 0<d" <d' <v-l 

such that, 
which is, 

J d ' ■ r mod n = J d " ■ t" v mod n 
and may be transformed in 

j(d'-d") . (f y t /,y. mod n — i w 

According to the Bezout formula, there exists a unique pair of integers k, 0 < 
fc < v — 1, and m, 0 < m < d' — d" — 1, easily computed by the Euclidean algorithm, 
such that: 

m • v - k ■ (d' - d") = ± gcd(u, d' - d"). 
Let us raise the equation to the power fe and substitute. 

1 = J k < d '- d ").{t'lt») kv vxo&n 

= jm.«±gcd(»,a'-d'') . ^<j t "f- mod n 

= J±«<*W- d ") . {J m . (t'/t'fy mod n. 

Thus: 

When v is prime, any collision provides B. When v is composite, generally any 
collision provides B as well, and in some cases, a partial knowledge of B is obtained 
as a power of B of a rank dividing v. 

Knowing any collision in F is thus equivalent to knowing B or a power of B of 
a rank dividing v. 

For a given user, J and v are fixed: the function T from t to Fd(t) ls a se * °f 
permutations of Z n indexed byd, 0 < d < v — 1. 

In a way similar to what is done in the GMR scheme (Goldwasser, Micali and 
Rivest [9]), by composing the basic permutation T indexed by d, 0 < d < n/2, a 
large family of permutations T indexed by D may be constructed. Let D be an 
integer written on k v-ary digits, from the most significant one d(k — 1) to the least 
significant one d(Q), where k is the integer such that v h ~ x < D < v k : 

F D (x) = ^d(o)(^d(i)(-^d(k~i)(x)-)) = J D ■ x° k mod n. 
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Knowing any collision in this composed family leads generally to knowing the 
solution f3 to the equation: 

J ■ /?"' mod n = 1. 

The authentication number B, such that J • B v mod n = 1, is easily deduced 
from [3. 

Collision-resistance of this set is equivalent to computing the authentication 
number B by inverting an RSA instance ([16]). 



4 Protocols of cooperation between entities 

4.1 Entities with same exponent and different identities 

Let us consider two tamper-resistant security devices, each one storing its unique 
authentication number (B x or B 2 ) related to its identity (1^ or I 2 ) by the following 
equations: 

£* • Ji mod n = 1, with Ji = Red(Ii), 

B\ • J 2 mod n = 1, with J 2 = Red(I 2 ). 

The two entities, cooperating on a siared Personal Computer, are negotiating an 
authentication transaction with a verifier according to the following protocol: 

1. Entity Jj transmits its identity I\ and a test number 2\ which is the power 
in Z n of an integer picked at random in Z*. 

Entity I 2 transmits its identity I 2 and a test number T 2 which is the power 
in Z n of an integer r 2 picked at random in Z^. 

The Personal Computer sends to the verifier the two identities I± and I 2 and 
the common test number T computed from: 

T = Ti ■ T 2 mod n 
= (r x • r 2 ) v mod n 
= r v mod n 

where r is used for the (implicit) common random number r x • r 2 mod n. 

2. The verifier asks a question d which is an integer picked at random from 0 to 
v - 1. 

3. Entity Ii sends a witness number ti which is the product in Z n of integer r x 
by the d^ power of authentication number B\. 

Entity I 2 sends a witness number t 2 which is the product hi Z n of integer r 2 
by the d^ power of authentication number B 2 . 



222 



The Personal Computer sends to the verifier the common witness number t: 

t — ti ' i2 mod n 

= (t x • B d ) ■ (r 2 ■ B d ) mod n 
= ■ r 2 ) ■ {Bx • B 2 ) d mod n 

= r ■ (Bi ■ B 2 ) d mod n. 

4. In order to check such a witness number t, the verifier computes the product 
of the d til power of the shadowed identity J x and J 2 by the -v^ power of 
witness t, that is: 

J d ■ J d ■ t v mod n = Jf ■ J d ■ ( ri ■ B d ■ r 2 ■ B d 2 ) v mod n 
= (J, ■ B{Y ■ (J 2 ■ B v 2 ) d ■ t v mod n 
= T. 

This protocol of cooperation, easily extensible to any number of cooperating entities, 
indicates a new direction in multiple signature schemes. 

4.2 Two entities with the same identity and different expo- 
nents 

Let us now consider two tamper-resistant devices, each one storing its unique au- 
thentication number and B 2 ) related to the same identity / by one of the 
following simple equations (let us consider that v\ and v 2 are prime together): 

Bl 1 • J mod n = 1 and B? • J mod n - 1, with J = Red{I). 

The cooperation may simulate an entity having identity I with the exponent v = 
vi -v 2 , 

B v • J mod n = 1 , 

with B\ equal to mod n while B 2 is equal to B Vl mod n. 

The two entities, cooperating on a shared Personal Computer, are negociating 
an authentication transaction with a verifier according the following protocol: 

1. Entity 1 transmits its identity J and a test number J\ which is the v 1 ^ power 
in Z n of an integer r x picked at random in Z*. 

Entity 2 transmits its identity i" and a test number T 2 which is the power 
in Z n of an integer r 2 picked at random in Z*. 

The shared Personal Computer sends to the verifier the common identity / 
and the common test number T computed from: 

T = I? 2 • I? 1 mod n 
= ' 7*2 ) D1 " 3 mod n 

— (ti • r 2 ) v mod n 

= r v mod n, 
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where r is used for the (implicit) common random number r x • r 2 mod n. 

2. The verifier asks a question d which is an integer picked at random from 0 to 
v-1. 

The shared Personal Computer translates the question: di = d[v 2 mod v-i for 
the entity 1 and d 2 = d/v^ mod v 2 for the entity 2. 

3. Entity 1 sends a witness number t x which is the product in Z n of integer r x 
by the d^ 1 power of authentication number B\. 

Entity I 2 sends a witness number t 2 which is the product in Z n of integer r 2 
by the d 2 ^ power of authentication number B 2 . 

The Personal Computer sends to the verifier the common witness number t: 

t = t x • t 2 mod n 

= T-i • r 2 ■ B dx • B 2 * mod n 
_ r . mo dn. 

4. Let us call d' the integer dj. • v 2 + d 2 • v-l. In order to check such a witness 
number t, the verifier computes the product of the d^ power of the shadowed 
identity J by the power of witness t, that is: 

Is the test number T equal to J d ' • V mod n ? 

Proof: 

J d ' ■ f mod n = J* • (r a • • r 2 • B*)">-» mod n 

= (J • • (J ■ 5 2 J ') ,,, • ,,1 • (r 2 • r 2 )" mod n 

= T. □ 

This protocol of cooperation may easily be extended to any number of cooperating 
entities. 

Let us remark that the protocols of cooperation solve many problems of sublim- 
inal channels in the sense of Simmons or Desmedt. One cooperating entity is then 
a one-way active warden (see more in the full paper). 

5 Interactively authenticating both cards and 
messages 

The authentication described in the basic method convinces the verifier that an 
entity knowing the authentication number is involved in the transaction. 

But the interaction of simultaneous processes may be misleading: everybody 
knows the strategy used by the child playing chess simultaneously against two mas- 
ters. The first master opens the first play, then the child reproduces this opening 
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on the second table. The second master replies, and the child repeats this reply on 
the first table. While knowing nothing in chess skill, the child will not loose both 
plays. We must be careful in the design of a protocol, so as to avoid to give to a 
child the merits of a master. 

Let us transpose the problem. A kitchener using a security device provided by 
a banker is buying oranges at a grocery, the grocer being a member of the Organi- 
zation: at the same time, another member of the same Organization is negociating 
diamonds in a jewelry, the jeweler being unaware of any problem. When the pay- 
ment operation is ready, the jeweler verifies the authenticity of the security device 
of the man buying diamonds. But in fact, this "security" device is connected via a 
full duplex radiating channel to the grocery POS terminal. And owing to this hid- 
den synchronization, the jeweler is preparing a bill on kitchener's account number, 
both kitchener and jeweler being unaware of the problem. Y. Desmedt noted this 
problem in the rump session of CRYPTO '87. 

By linking transaction purpose and buyer identity in a unique authentication 
process, the fraud prepared by the Organization will no more succeed. The kitchener 
is buying oranges, while the jeweler is selling diamonds. This message authentica- 
tion must convince the verifier that the message is really sent by the entity owning 
the right authentication number. 

Such an extension implies a hash function. Some papers (Goldreich, Goldwasser 
and Micali [7]) are dealing with functions statistically undistinguishable from really 
random functions with polynomially limited resources. Let us suppose that such a 
good one-way hash function h exists, while, today, no such a function is ready for 
standardization. 

NOTE. Hash functions h may be implemented either in prover's PC or in the card. 
The user must control the parameters sent to the hash function. In the example, 
the user holds a portable device in which the card is inserted and where the hash 
function h is implemented. 

This is a message authentication (the basic idea was already present in Fiat- 
Shamir [6]): 

1. The user claims the message M, the identity I and the verification number 
V. 

At each treatment, the card picks at random an integer r in Z n and computes 
a test T by raising it to the power in Z n . The portable device of the user 
computes as the verification number V the hashing of M and T: 

V = h(M,T) = h{M,T° mod n). 

2. The verifier asks a question d. 

The verifier picks at random an integer d from 0 to v - 1 and transmits it. 



3. 



The user shows a witness t. 

The card computes as witness t the product of random elements r by the d 
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power of the authentication number B: 

t — r ■ B d mod n. 

4. The verifier reconstructs the test number T from the question d, the identity 
I and the witness t. Next, the verifier reconstructs the verification number V 
from the message M and the test T: 

Is V equal to h(M, J d ■ f mod n) ? 
This is still a zero-knowledge interactive protocol. 

Let us now introduce a non-interactive zero-knowledge protocol: the hash func- 
tion h may be used by the prover himself to compute directly the question d. Some 
of these ideas on non-interactivity were already formulated in Fiat and Shamir [6]. 

6 Swapping to signatures by removing interactiv- 

ity 

The integrity of a transmission system is threatened in various ways: 

• false information may be introduced in the system; 

• a wire-tapped message may be replayed; 

• the sender may be impersonated; 

• false signature may be forged. 

By a signature operation, the sender prepares a signed message. 

By a verification operation, the receiver checks the signed message. 

When the integrity is threatened, at least the receiver must protect his operation. 

Each operation may be described 
as an algorithm controlled by parameters such a key. 
In order to protect an operation, the key at least should be kept secret. 

Each signature scheme implies three fundamental operations ([12]): the key- 
production, the signature and the verification. In each signature system, there are 
five types of partners: the prover, the verifier, the cheater, the trusted authority 
managing the identities of users and hot lists and the judge evaluating disputes and 
repudiations. 

In an interactive authentication process, the verifier reacts in a random way. 
Let us use a hash function to replace the interactivity between the prover and the 
verifier. We are facing now a signature scheme based on a non-interactive zero- 
knowledge technique. Our contribution in this field is not the basic ideas ([8], [17]), 
but rather a first synthesis between two basic ideas. 
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Let us consider the security level (related to the value of v): in a proximity 
relation with a policeman, nobody will try to show a forged driving licence with 
probability 1 - 10~ 4 of being caught. Some people may try up 10 000 times to 
remotely access to a database, and in a remote control, the question must then be 
20 bit long. But in a signature scheme where a simulation may be secretly forged 
off-line, the level of security must be raised to 60 bit long questions. Even with the 
most powerful computers, it is unrealistic to try 10 18 . 

Here is the signature operation: 

1. At each signature, the card picks at random an element of Z n , and computes 
as the test T the v 1 ^- power of r in Z n , transmitted to the PC. 

2. The PC (or the card depending upon the application) hashes the message M 
and the test T in an integer d uniformly selected from 0 to v — 1. This integer 
is transmitted to the card as the question d. 

3. The card computes as the witness t the product in Z n of the integer r by the 
d^ power of the authentication number B. The consecutive computations 
are 

T = r v modn;d= h(M,T);t = r ■ B d mod n. 

The signed message consists of the message M followed by a very compact 
appendix including the identity 7, the question d and the witness t. 

The verification operation consists of reconstructing the test T from the witness 
t, the question d and the identity I, knowing n, v and the redundancy rules. 

This method is still zero-knowledge about the authentication number included 
in the card. Even an enemy using a stolen card, while producing signatures, will 
learn nothing about the specific value of the authentication number. Ans when a 
card is hashing itself M and T, the property is still maintained, because the same 
hashing should have been done outside the card. While making forgery easy, a weak 
hash function should not endanger the secret. 

7 The identity-based signature scheme 

This signature scheme witii appendix is a probabilistic scheme based upon an un- 
derlying signature scheme shadow ([12]). 

The underlying signature scheme is based on user's identities. For a bank, 
such an identity includes an account number, a validity period and a usage code, 
associated with the serial number of the chip embedded in the card. 

We now propose to use as hash function the collision-resistant permutations 
analyzed in the second paragraph and related to the underlying signature scheme 
with shadow. Thus the security of the hash function is homogeneous with the 
security of the zero-knowledge scheme. 
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Resulting from hashing the message M and the test T, the question d is an 
element of Z n . A shortening of the question d should result in a partial collision in 
Z n , which does not give the authentication number. The proof of equivalence would 
thus disappear. In order to accept such large questions, v is a prime between v/2 
and n. 

The resulting signature scheme is paradoxicaJ: 

• An enemy having received as many signatures of messages of his choice as 
he wants is not able to produce only one additional signature unless he has 
broken the underlying problem and reconstructed the authentication number 
of the user. 

• A user trying to repudiate one signature by producing a second message with 
the same appendix, should reveals a collision and thus his authentication 
number. 

This is the signature scheme: 

1. At each signature, the card picks at random an integer r in Z n and computes 
as test T the p** 1 power of r in Z n , transmitted to the PC. 

2. The PC hashes the message M and the test T by computing as question d the 
product in Z n of the M th power of J by the v th power of T < M < v k ). 

3. The card computes as witness t the product in Z n of r by the d^ 1 power of 
the authentication number B. 

Let us summarize these successive computations (k is such that v 4-1 < M < v k ): 

T = r v mod n;d=J M - T k mod n;t = r-B d mod n. 

NOTE. At each signature, the integer r is picked at random in Z n . In a practical 
implementation in a smart card, the random generation is difficult to control. A 
deterministic production of r should be very useful. How to specify a secure deter- 
ministic generation of r? Such a computation should imply both the authentication 
number B as a secret seed and the whole message M to be signed which should 
include at least a time stamp. 

In such an implementation, for security reasons, the whole process should be 
performed inside the card, like this one: 

At each signature, the card receives as argument a message M to be signed. 

1. From this message M and from the authentication number B, the card gen- 
erates an integer r in Z n . 

2. The card raises the integer r to the v^ 1 power in Z n to get the test number 
T. 
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3. The card computes as the question d the product in Z n of the M power of 
J by the (p*)" 1 power of T (v*" 1 < M < v k ). 

4. The card computes as the witness t the product in Z n of r by the d^ power 
of the authentication number B. After this sequence, the cards delivers the 
question d and the witness t. 

The verification operation includes the successive reconstructions of the test T 
and the question d. 

1. The test T is reconstructed as the product in Z n of the d til power of the 
shadowed identity J by the V** 1 power of the witness t. 

2. The question d is reconstructed as the product in Z n of the M tn power of the 
shadowed identity J by the (u fe ) t ^ 1 power of the test number T. 

Let us summarize these computations: 

J d ■ f mod n = J d ■ (B d • r) v mod n = ( J ■ B v ) d ■ r" mod n = r v mod n = T, 
and, 

d=J M - iV) mod n. 
The whole verification collapses in a simple equation: 

Is the question d equal to J M+d v . f + mod n ? 

8 Exchange authentication: a priori versus a pos- 
teriori? 

Some proposals are made today to standardize authentication protocols beginning 
by an authentication sequence keying a pair of communicating entities. Subse- 
quently doing the difference with the other entities on the network, this key ensures 
integrity of subsequent transmissions by ciphering either exchanged data or at least 
an imprint computed by hashing these data. This shared key must be kept secret. A 
priori authentication is mandatorily a procedure establishing a shared secret key in 
the pair of communicating entities. Such methods sadly confuse integrity and con- 
fidentiality while public key techniques seem powerful to provide separate solutions 
to the two classes of threatens against confidentiality on one hand and integrity on 
the other hand. 

When a priori authentication is needed to limit misusing of gate resources by 
intruders, this authentication should not be used to ensure integrity of subsequent 
exchanges. But a second (a posteriori) authentication should rather be performed 
after the exchanges in order to check both integrity of previous exchanges and 
identification of communicating entities. 
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Operation sequencing is correct only in an a posteriori authentication when 
the authentication protocol occurs after the exchange of information. The zero- 
knowledge techniques are typically used after an exchange of clear information. 

In a posteriori authentication, another subtlety appears between: 

• keyed systezns, where each user owns his secret key, like a composite number, 
usable for general purposes with the help of a registration authority. 

• and keyless systems, based upon identities, where each user owns an authenti- 
cation number delivered by a trusted authority for some dedicated purposes. 

In a keyed system, confidentiality and integrity are both provided. The only 
solution (the RSA scheme) proposed today in CCITT X.509 (authentication frame- 
work) is in this category. While being useful in some circumstances, such a method 
is not dedicated to integrity: confidentiality is easily obtained. 

In a keyless identity-based system, the communicating entities are not able to 
produce a common secret key: secrecy cannot be derived from the scheme. 

Let us notice that in both cases, an authority (either a general multi-purpose 
authority or several dedicated authorities) has to play a prominent part! The keyless 
systems with multiple authorities fit better with the bright proposals of Chaum ([2]) 
on privacy protection. This is also an important point.' 

Integrity techniques are typically used on various remote control sysytems in 
such a way that no assumption has to be done on the security of networks and 
terminals used in the transaction. Why some assumptions should be done on the 
morality of potential users? 

It seems to us that a good integrity scheme does not have 
to do any assumption on the integrity of the potential users. 

Thus the conjunction of zero-knowledge techniques and identity-based tech- 
niques solves some political problems due to the use of cryptologic techniques on 
public networks. At least one signature scheme exists which cannot be misused and 
illegally transformed into a confidentiality scheme. 

An identity-based scheme should be taken into account in X.509. 
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Abstract: Fiat-Shamir's identification and signature scheme is efficient as well as 
provably secure, but it has a problem in that the transmitted information size and 
memory size cannot simultaneously be small. This paper proposes an identification 
and signature scheme which overcomes this problem. Our scheme is based on the 
difficulty of extracting the L-th roots mod n (e.g., L = 2 ~ 10 2 °) when the factors of 
n are unknown. We define some variations of no transferable information and prove 
that the sequential version of our scheme is a zero knowledge interactive proof system 
and our parallel version satisfies these variations of no transferable information under 
some conditions. The speed of our scheme's typical implementation is at least one order 
of magnitude faster than that of the RSA scheme and is relatively slow in comparison 
with that of the Fiat-Shamir scheme. 

1. Introduction 

Fiat and Shamir have proposed an identification and signature scheme which 
is promising because it is efficient and provably secure against any active attack [FS]. 
Their scheme is based on the difficulty of extracting square roots mod n when the 
factors of n are unknown. The Fiat-Shamir scheme consists of sequential and parallel 
versions. Though their sequential version is a zero knowledge interactive proof system 
[FFS], the iteration number must be 0(log 2 n) and the communication performance is 
therefore low. The parallel version is more efficient than the sequential version, and it is 
secure because it reveals no transferable information [FFS]. There is, however, a trade- 
off between the transmitted information size and memory size. That is, the probability 
of forgery is 1/2*', where k denotes the number of secret information integers and the 
overall transmitted information size is proportional to t. For example, in order to 
attain the security level 2 -20 , i.e., tk = 20, when we reduce the information size to 
t = 1, we must store twenty (k = 20) secret integers. When we store only one secret 
integer, k — 1, we must send twenty (t = 20) times as long a message. Therefore, the 
efficient parameter values, t = k = 1, cannot be used in their scheme. 

In this paper, we propose an identification and signature scheme which over- 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 232-243, 1990. 
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comes the above mentioned problem. Our scheme is based on the difficulty of extract- 
ing the Z-th roots mod n when factors of n are unknown. In our scheme, the third 
design parameter L is introduced in addition to the two parameters t and k which cor- 
respond to t and k of the Fiat-Shamir scheme. Here, the security level is represented 
as L~ t k . Therefore, the parameter values t = k = 1 are applicable in our scheme if the 
appropriate value for L is chosen, although our scheme is relatively slow in comparison 
with the Fiat-Shamir scheme. Hence our scheme is suitable for smart cards, because 
their memory amounts are restricted. 

We define new security level notions of "transferable information with a (sirici) 
security level p " and "transferable information with a (sirici) sharp-threshold security 
level p ." We then prove that the sequential version of our scheme is a perfect zero 
knowledge interactive proof system for any L. We go on to prove that our parallel 
version reveals no transferable information with a strict security level where p 
and q are factors of n, p' = (L, p— 1) > 1, p' > q' — (L, q— 1), if the factoring is difficult 
and an additional condition holds, where (a, 6) denotes the greatest common divisor 
of a and b. Finally we also prove that our parallel version releases no transferable 
information with a strict sharp-threshold security level 1/L when (L,p — 1) = L and 
an additional condition holds. 

Although the idea of using higher roots was implied in [FS], [GQ1] and [GQ2], 
its security and parameter conditions were not formally discussed. 

In the following sections, we consider a typical case where k = 1 for the sequential 
version and k = t = 1 for the parallel version. Our results are easily extended to cases 
where k and t have other values. 

2. Some Number-Theoretic Results 

First some number-theoretic results are shown concerning the modular L-th 

roots. 

[Lemma 1] Let p be an odd prime, L be an integer (L > 2) and p' — {L,p — 1). If 
y is the L-th residue mod p, then there are p' integers x of the L-th root mod p of y 
such that x L = y (mod p). 

Proof Let g be a primitive element over a finite field GF(p), let a satisfy g a = x 
(mod p) and let /3 satisfy g 0 = y (mod p). Then x L = y (mod p) implies (g a ) L = g^ 
(mod p). Here a satisfies aL = 0 (mod p — 1); therefore, it has p' solutions [HW, 
pp.51-52]. Q.E.D. 

[Lemma 2] Let p be an odd prime, L be an integer (L > 2) , y be the L-th residue 
mod p and p' = (L,p — 1) > 2. If {xi, ... ,x p >} is the set of the L-th roots mod p of 
y, then any pair (xi,xj) satisfies zf = x p - (mod p) (1 < i,j < p') and there is at 
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least one pair (xi,x-j ) such that, i ^ j and x p _1 ^ x p _1 (mod p). 
Proof Let g be a primitive element over GF(p) and let a; satisfy g ai = Z; (mod p) 
(1 < i < p'). Since a congruence xf = x^ = y (mod p) implies L(c*i — aj) = 0 
(mod p — 1), p — 1 is a divisor of L(a, — a, ). Here p' is the greatest common divisor 
of L and p - 1. Thus, p — 1 is a divisor of p'(a, — a ; ). Therefore, the congruence 

' t I ' 

p'oti = p'aj (mod p — 1) holds, and we finally obtain x? = {g a ') p = {g a ') p = x p 
(modp) (1 < t,i < p')- 

Assume that any satisfies x P ~ 1 = z (mod p) (1 < i < p'). Thus, there are 
p' integers of the (p' — l)-th roots mod p of z. Here, the number of the (p' — l)-th 
roots modp of z is at most p' — 1 according to Lemma 1 because (p' — l,p— 1) < p' — 1. 
This is a contradiction. Therefore, there is at least one pair (z,, ij) such that i ^ j 
and x P '- 1 ^ a;?' -1 (modp). Q.^.Z). 

We classify the Z-th roots mod n of 1 in order to calculate the probability of 
successfully factoring n. 

[Definition 1] Let L be an integer (L > 2) and n be a composite number which is 
the product of two odd primes p and q. Four types of the L-th roots modn of 1 are 
defined as follows: 

w is Typei if w = [1, 1], 
w is Type2 if w = 
w is Type3 if w = [ui p , 1] , 
lj is Type4 if w = [u> p ,ui q ], 
where the notation w = [a, 6] means that w satisfies the following congruences: 

w _ | a (mod p) 
\ 6 (mod g), 

and where w p satisfies 1 + u p + . . . + oj p ~ 2 + _1 =0 (mod p) and u q satisfies 
l+u q + ... + w%- 2 = 0 (mod?). 

[Lemma 3] Let L be an integer (L > 2), n be a composite number which is the 
product of two odd primes p and q and w be one of the L-th roots modn of 1. Then, 

#{u; | w is typel } = 1, 

#{w | w is type2 } = q' - 1, 

#{w | w is typeJ } - p' - 1, 

#{ W | w is type4 } = (p' - 1)(?' - 1) 
where p' = (L,p — 1), g' = (Z, g — 1), and # denotes the number of elements of a set. 
Proof The following equation with respect to w has p' solutions in GF(p) according 
to Lemma 1: 1 - w L = (1 - w)(l + w + . . . + w i_2 + w i_1 ) = 0 (mod p). Thus, 
#{w p mod p | l+v p +. . .+u>£- 2 + u> p L ~ 1 = 0 (mod p)} =p'-l. Similarly, mod 
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q | l+w,+. ■ .+u>^~ 2 +u!^~ l = 0 (mod g)} = q'-l. Moreover, #{ w | #{w mod p} = a 
and #{w mod <j} = j3} = a • /3. Therefore, the above property is proven. Q.E.D. 

[Theorem 1] Let L be an integer (L > 2), n be a composite number which is 
the product of two odd primes p and q, I be the L-th residue mod n, and AL be a 
probabilistic polynomial time algorithm which, given / and n, finds one of the Z-th 
roots mod n of I with probability (> l/|n|"), where |n| denotes the data length of 
n. If (L,p — 1) ^ 1 or (L,q — 1) ^ 1, then there exists a probabilistic polynomial 
time algorithm for factoring n using AL at most in 0(|n|° +2i ) steps, where b satisfies 
L = 0(\n\ h ). 

Proof Choose a random integer y € Z n , where Z n denotes {0, . . . , n — 1}, calculate 
z = y L mod n and compute z which is one of the L-th roots mod n of z by using AL. 
Because the distribution of x doesn't depend on which y is selected, and because y is 
randomly selected, ui — x/y mod n is uniformly distributed. If u is type2 or type3, we 
can calculate the factors of n by computing (u — l,n). Note that when u is typel, 
(w — 1, n) = n; and when ui is type4, (w — 1, n) = 1. The probability of { u is type2 
or type3 } is p p^/" 2 according to Lemma 3. Moreover, the inequation p + ? ,~ 2 > Up- 
holds because of the assumption (L, p — 1) ^ 1 or (L, q — 1) ^ 1. The average number 
of iterations for deriving x from z using AL is |n| a . The average number of iterations 
for selecting x such that u is type2 or type3 is at most p'q' = 0(|/| 2i ). Therefore, 
the total average number of iterations for the factorization of n is at most 0(|n| a+2t ). 
Q.E.D. 

[Definition 2] Let p be a prime and a € GF(p). An index of a over GF(p), Ind p (a), 
is defined as follows: 

Indp(a) — min{m | a m = 1 (mod p)}. 

[Lemma 4] Let p be a prime, J € GF(p) be the p'-th residue mod p, where {p',p — 
1) = p' and p' = ri • r 2 (r 1( r 2 > 1), K be one of the r r th roots mod p of J, Vi(i — 
1,2, ...,r 2 ) be the r 2 -th roots of A", u 0 be one of the p'-th roots of J, and w, = 
t'j/vo mod p. If there is an integer 5(> 1) which satisfies (6, r x ) = 1 and (5, r 2 ) = 5, 
for any A' and vo, there is at least one pair (ui;,w ; ) such that Ind p (u>i) ^ Ind p (jj } ). 
Proof Let # be a primitive element over GF(p), let a satisfy g r ^ r ^ a = J (mod p). 
Then, 

A = g vr ' r i mod p. 

where 0 < j\ < r± — 1. Thus, 



= g ri r2 mod p, 
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where 0 < i < r 2 — 1. Similarly, 




r i r 2 mod p. 



Therefore. 




(ji-Jnl-H'-'o)"-! 



mod p. 



When jo ji, for any i 0l j 0 and ji, there are two integers u (—6 < u < 8) and u (— r\ < 
v < ri) such that ja)+u-ri — v-6, because (ri, 6) = 1. Put i x = i 0 +« mod r2, then 
(w.-J 1 ^ = gb- l >" = 1 (mod p). Thus, Ind^u^) divides ^f*. On the other hand, 
there is an integer i 2 (0 < %i < r 2 — 1) such that (jx — ; 0 ) + [i 2 — io)r\ ^ 0 (mod 6), 
because (ri,8) = 1 and 8 > 2. Thus, Ind p (uji 2 ) does not divide Therefore, 
indp^.-J ^ 7nc/p(w i2 ). When j 0 = Ji, then w io = 1 and Wj ^ 1 (i ^ io)- Therefore, 
Ind v {u io )^Ind v {wi). Q.E.D. 

3. Sequential Version 

An identification scheme is proposed here in which a prover convinces a verifier 
that he is a real prover. Hereafter we denote a real prover as A, an invalid prover as 
A, a real verifier as B and an invalid verifier as B. 

A trusted center publishes an integer L (L > 2) and a modulus n which is 
the product of two secret large primes p and q. A publishes / which is calculated 
by I = S L mod n using a secret random integer S £ Z n . Note that the difficulty of 
deriving 5 from / corresponds to that of breaking the RSA scheme [RSA] in the case 
where (L, p — 1) = 1 and (L, q — 1) = 1, and corresponds to the difficulty of factoring 
n in the case where (L, p — 1) ^ 1 or (L, <7 — 1) ^ 1 according to Theorem 1. 

To generate and verify a proof of identity, the parties execute the following 
procedure. Repeat Steps 1 to 4 in sequence t times: 

Step 1) A generates a random integer R € Z n and sends X = R L mod n to B. 
Step 2) B sends a random integer E € Zl to A. 
Step 3) A sends Y = R- S E mod n to B. 
Step 4) B verifies that Y L = X ■ I E (mod n). 
Verifier B accepts prover A's proof of identity only if all the checks are successful t 
times. Note that there is no constraint on the relation among L, p and q. 

The following theorem guarantees the security of our sequential version. 

[Theorem 2] This protocol is an interactive proof system of knowledge of the S 
[FFS] which is perfect zero knowledge [GMW], when i = 0{\n\) and L = 0(1). 
Proof (sketch) Completeness: To prove that A's proof always convinces B, we 
evaluate the verification condition: Y L = (R ■ S E ) L = R L {S L ) E = X ■ I E {mod n). 
Thus, the verifier accepts A's proof with probability 1. 
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Soundness: Our goal is to show that whenever B accepts A 's proof with non-negligible 
probability (> l/|n| a ), a probabilistic polynomial time Turing machine M can output 
the S', which satisfies S' L = I (mod n), with overwhelming probability. 

Let T be the truncated execution tree of (A, B) for input / and A's random 
tape RA. A vertex is called "heavy" if it has more than Z/2 sons. First, we prove that 
at least half the vertices in at least one of the levels in T must be heavy, then that M 
can find a heavy vertex in T with overwhelming probability, and finally that S' can be 
computed from the sons of any heavy vertex when a heavy vertex is found. 

Let or; = fti+x/Pi where /?,• means the number of vertices at level i in T. If a; < 
(3/4)£ for all 1 < i < i, then the total number of leaves in T(t.e., /?< = ai ■ • ■ «t-i • 
is bounded by (3/4) t_1 L t , which is a negligible fraction of the L % possible leaves. Since 
we assume that this fraction is polynomial, a, > (3/4) L for at least one level, which 
we denote iq. Assume at least half the vertices at this level (to) are not heavy, then 
ft 0+1 < 0 ia ■ L - (0 io /2){L/2) = (3/4)/? i0 • L, and a , 0 = ft 0+1 /ft 0 < (3/4)2/. Here 
a >o > (3/4)£. This is a contradiction. Therefore, it is proven that at least half the 
vertices in at least one of the levels in T must be heavy. 

In order to find a heavy vertex in T, M explores random paths in the untruncated 
tree by determining the degree of each vertex and restarts from the root whenever the 
path encounters an improperly answered query. Since a non negligible fraction (> 
l/|n| a ) of leaves is assumed to survive the truncation, the average iteration number of 
the executions where the path reaches to the i-th level is |n| a (< i). Since there is at least 
one level in T where at least half the vertices are heavy, the average iteration number 
of the executions where M can find a heavy vertex is at most 2|n| a (< • L) = 0(\n\ 1+a ). 

Finally, we will show how S' can be computed from the sons of any heavy 
vertex, when a heavy vertex is found. Let Q be the set of queries E which are properly 
answered by A. Assume that all pairs of integers (E\ E") satisfy E" — E'> 1 where 
E',E" G Q. Since #Q > L/2, the largest difference between elements in Q is at least 
L. Here = L and the largest difference between elements in Zt is at most L — 1. 
This is a contradiction. Therefore, it is proven that a set Q of more than L/2 integers 
of Zl must contain at least one pair of integers (Ei,Ei) such that Ei — Ei — 1. 
Since these queries were properly answered, the following verification conditions hold, 
where X{ = X; = I E < ■ X (mod n) (1 < i < 2). From these equations, we 
obtain 5' = Yi/Y 2 mod n which satisfies the relation S lL = {Yi/Y 2 ) L = l E ^~ E ? = I 
(mod n). 

Zero knowledge: Let B be any polynomial expected time algorithm for the verifier. 
The simulator M~ does the following: 
repeat while 0 < c < t 
begin 
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choose E' € Z^ randomly and uniformly 
choose Y = R € Zl randomly and uniformly 
X = R L /I E ' (mod n) 
B issues E 

if E = E' then halt, c = c + 1 and output (A', E, Y) 
end 

It can be demonstrated that (A,B)(n,I) and M~(n,I) are identically dis- 
tributed verifier's histories. For any verifier B, the probability that E = E' is at 
least 1/L. Thus, the average running time of this simulator M~ is 0(t ■ L), which is 
polynomial in |n| based on our assumptions of the values of L and t. Q.E.D. 

Remark: Evidently, we can extend the value of L to 0(|n|) in the above theorem. 

4. Parallel Version 

In this section, we consider a typical case where k = t — 1 and p' = (L, p — 1) > 1 
and p' > q 1 = (L, q — 1) for the parallel version. In this case, the difficulty of deriving 
S from / corresponds to that of factoring n according to Theorem 1. We define four 
security level notions of "transferable information with a (strict) security level p " and 
"transferable information with a (strict) sharp- threshold security level p ," which are 
more rigorous than the notion "transferable information" defined by [FFS]. 

[Definition 3] The protocol (A, B) releases no transferable information with a se- 
curity level p if: 

1. It succeeds with overwhelming probability. 

2. There is no coalition of A, B with the property that, after a polynomial number 
of executions of (A, B), it is possible to execute (A, B) with c • p probability of 
success, where c is an arbitrary real constant greater than 1. 

The protocol (A, B) releases no transferable information with a strict security level p 
if: 

1. It succeeds with overwhelming probability. 

2'. There is no coalition of A, B with the property that, after a polynomial number 
of executions of (A, B), it is possible to execute (A, B) with c • p probability of 
success, where c is (1 + l/ln^) and d is an arbitrary constant greater than 0. 
The protocol (^4, B) releases no transferable information with a sharp-threshold security 
level p if it satisfies conditions 1 and 2 above as well as the following condition: 

3. The probability of A cheating B is p. 

The protocol (^4, B) releases no transferable information with a strict sharp-threshold 
security level p if it satisfies conditions 1, 2' and 3. 

It has been proven that Fiat-Shamir's parallel version of the identification scheme 
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releases no transferable information with a sharp- threshold security level [FFS], but 
not with a strict sharp-threshold security level. The following theorem and corollary 
guarantee the security of our parallel version using the new notion, "transferable infor- 
mation with a strict (sharp-threshold) security level." The following results are easily 
extended to the situation where k and t have other values. 

[Theorem 3] Let the parameters k = t — 1 and L satisfy (L,p — 1) = p' > 1, 
?' > (L,q — 1) = q 1 , and L = 0(1). When at least one of the following conditions 
CI, C2, C3, and C4 is satisfied, then the parallel version of our identification scheme 
releases no transferable information with a strict security level 1/p', if there is no 
probabilistic polynomial time algorithm of factoring. 

CI. p' = YliLi Pi' where p ; is a prime number, p; ^ pj (i ^ j), and N > I. 

C2. q' = nf=i 9> > w bere g,- is a prime number, ^ qj (i ^ j), and M > 1. 

C3. q' = 1. 

C4. (p',?') = l 

Proof (sketch) Let L — p' ■ l p . To prove this theorem, we show that if (A, B) 
can be executed with probability s = c/p' = (1 4- l/|«| d )/p' after 0(\n\ e ) executions 
of (A, B), then n can be factored by a coalition of A,A,B and B at most in time 
0(||B|| • |n| e + ||j4|| - \n\ d ) and with overwhelming probability, where d and e are positive 
constants, and ||j4|| and denote the time complexity of A and B. 

Given any pair of unusually successful programs A and B, we start the factoriza- 
tion by executing (A, B) 0{\n\ e ) times and relaying a transcript of the communication 
to A. Since A itself can be used in this part and its time complexity ||j4|| is assumed 
to be dominated by these executions require 0(||B|| • \n\ e ). 

The possible outcomes of the executions of (A, B) can be summarized in a large 
Boolean matrix H whose rows correspond to all possible choices of RA. Its columns 
correspond to all the possible choices L of RB, and its entries are 1 if B accepts ^4's 
proof, and 0 if otherwise. 

To factor n, the coalition tries to find at least (l p + 1) l's along the same row 
in H. We call a row "heavy" if the number of l's along it is at least l P 4- 1. Assume 
that at least 1/c of the l's in H are not located in heavy rows. Then the fraction of 
non-heavy rows in H , which we denote r, is estimated as follows: r > ~ L l ^ c — 1- 
This is a contradiction. Therefore, at least (1 — 1/c) of the l's in H are located in 
heavy rows. We thus adopt the following strategy: 

1. Probe 0{l/e) random entries in H. 

2. After the first 1 is found, probe l p O(l/e) random entries along the same row. 
Because = = 1 + \ n \ d i we can fi n ^ a heavy row with constant probability 
in just ^ • {0(1) + /„ • 0(i)} = ■ {(1 + l p )0(i)} < 0(\n\ d ) probes. Again we 
assume that is dominated by and thus the time complexity of this part of 
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the algorithm is at most 0(||/1|| • \n\ d ). 

Next, we will prove that n can be factored by a coalition of A, A, B and B in 
polynomial time and with probability at least 1/p', when the coalition finds at least 
(l p + 1) l's along the same row in H . 

Let Q be the set of queries E which are properly answered by A. Assume that 
all pairs of queries (E\ E") satisfy £"-£"> p' where E', E" € Q. Since #Q > (l p + l), 
the largest difference between elements in Q is at least l p ■ p' = £. Here #Zl = £ and 
the largest difference between elements in Zi is at most £ — 1. This is a contradiction. 
Therefore, it is proven that a set Q of at least (l p + 1) integers of Zi must contain at 
least one pair of integers {E\, E 2 ) such that E\ — E 2 < p' . 

Let (A, Ei, Yi) and (A", E 2 , Y 2 ) be the two l's in Q , i.e., the two possible 
outcomes of the execution of (A, B), that satisfy E\ — E 2 < p' ■ Since (A', E\,Y\) and 
(X,E 2 ,Y 2 ) satisfy the equation (Y X /Y 2 ) L = I E ^~ E ^ (mod n), thus Y y /Y 2 mod n is 
one of the £-th roots mod n of I El ~ E2 mod n, and S El ~ E2 mod n is also one of the 
£-th roots mod n of I E i~ E ? mod n, where 5 is known by A. 

We claim that from the A''s and F's sent by A during the execution of (A, B) 
even an infinitely powerful B cannot determine which £-th root mod n of I A acturally 
uses. This can be shown as follows: let w be one of the £-th roots mod n of 1, then 
S' = u> ■ S is another £-th root mod n of I other than S. If A replaces S with S', 
A produces the same X, Y with the same probability distribution, shown as follows: 
X = R l = {R uj- e ) l (mod n) and Y = S E -R = S' e (R-uj- e ) (mod n). Since the 
R's are randomly chosen, A produces the same A, Y values with the same probability 
distribution in both cases. Therefore, during the executions of (A, B) A cannot leak 
to B which £-th root mod n of J E i~ E ^ mod n he can compute from the S he knows. 
Thus, we have proven that the £-th roots mod n of I El ~ E * mod n which are known 
by A and computed by a coalition of A, B and B are totally independent. 

Next, we will prove that n can be factored with probability at least 1/p' using 
gEi-Ei moc [ n an j Y\jY 2 mod n, if at least one of the conditions CI, C2, C3, and C4 
is satisfied, even if the value of Y\jY 2 mod n is biased. Let u = s y j Y * mod n and 
w = [w p ,w ? ]. When CI is satisfied, the probability of successfully factoring n using 
w is at least 1/p'. This is because: if Ind p (w p ) < Ind q (u> t ), then w /ndp ^ p) mod n is 
Type2, and if Ind p (u p ) > Ind q (u q ), then u/"^' 1 mod n is Type3. Therefore, when 
Ind p (u p ) ^ Ind q (ui q ), the probability of successfully factoring n using ui is 1. Here, we 
will show that the probability of Ind p (ui p ) ^ Ind q (ui q ) is at least 1/p'. Let p' = r\ ■ r 2 
such that r x = (p',E 1 -E 7 ) < p', {v u -- ■ ,v r2 } = {S'^ 1- ^ mod p | S' is the £-th root 
mod n of 7} and vq = ^ mod p, then (r^ r 2 ) = 1 because of CI, and r 2 > 2 because 
of Lemma 2. Therefore, there is at least one pair (u> Pt ,-. w p j) satisfying Ind p (u.' Pt i) ^ 
Ind p (ui p j) according to Lemma 4, where = !),/»o mod p (i = l,---,r 2 ). When 
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C2 is satisfied, change the role of p and q in the CI case. When C3 is satisfied and 
u ^ 1, then u is Type3 because w = [u> p , 1] where w p ^ 1. Since #{S' El ~ E ' 2 mod p | 
S' is the £-th root mod n of /} > 2, the probability of successfully factoring n using 
w is at least 1/2. When C4 is satisfied and w ^ 1, then w ? mod n is Type3 because 
w ? ' = [w p , 1] where w p ^ 1. Since #{S' El ~ E2 mod p | S' is the L-th root mod n of 
/} > 2, the probability of successfully factoring n using cj is at least 1/2. Therefore, 
the probability of successfully factoring n using w is at least l/p'. 

Finally, We will prove that n can be factored by a coalition of A, A, B and B 
at most in time |/{0(||5|| • |n| e ) + 0(\\A\\ ■ \n\ d )} = 0(\\B\\ - \n\ e + ||1|| • \n\ d ) and 
with overwhelming probability. When for any f{\ < f < p'), mod n is Typel 
or Type4, n cannot be factored. Then, A selects another 5' randomly and calculates 
I' — S' L mod n, and the coalition goes through the same procedure to factor n. The 
procedure is repeated until n can be factored. The average number of iterations is at 
mostp'. Q.E.D. 

Remark: Evidently, we can extend the value of L to 0(|n|) in the above theorem. 
However, from the practical viewpoint, it is essential that the security level is a constant 
value, or a non asymptotic value. Therefore, the condition of Theorem 3 for the order 
of L is optimal. 

[Corollary] Let the parameters k = t = 1 and L satisfy (L,p — 1) = L, and 
L = 0(1). If at least one of the conditions C1,C2,C3, and C4 is satisfied, then the 
parallel version of our identification scheme releases no transferable information with 
a strict sharp-threshold security level l/L, if there is no probabilistic polynomial time 
algorithm of factoring. 

Proof It is proven that this protocol releases no transferable information with a 
strict security level l/L because {L,p — 1) = L and because of Theorem 3. Here, 
A can cheat B with probability l/L because A can guess RB with probability l/L. 
Q.E.D. 

5. Applications 

Signature scheme A triplet (M, E, Y) is sent as the signed message, where M is 
a message, h is a public pseudo-random function and E — h(M, X) € Zl, to turn the 
identification scheme into a signature scheme. Y here is the same as in Step 3 of the 
identification scheme. 

N-Party authentication scheme N-party identification and signature protocol 
based on the Fiat-Shamir scheme was proposed by [BLY]. However, in the Fiat-Shamir 
scheme a large memory (k w 100) is required. Our parallel version is suited to their 
protocol with only one secret integer and log 2 L « 100. 
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6. Efficiency 

In this section, we focus on a typical implementation of our parallel version. 

Secret memory size This scheme requires |nj bits of secret information S, while 
the Fiat-Shamir scheme requires k \n\ bits of secret information. The proposed scheme 
is therefore more efficient than the Fiat-Shamir scheme when k > 2. 

Transmission efficiency (2|n| + \L\) bits are transmitted in this scheme, while 
{2t\n\ + kt) bits are transmitted in the Fiat-Shamir scheme. Note that when i = 1 is 
used in the Fiat-Shamir scheme, the k value must be large. 

Processing speed The amount of processing needed for this scheme is compared 
with the RSA [RSA] and Fiat-Shamir schemes using the average number of modular 
multiplications required to generate or verify a proof of identity. 

The RSA scheme requires (3|n|)/2 steps, the Fiat-Shamir scheme requires t(k + 
2)/2 steps, and the proposed scheme requires (5/ + 2)/2 steps where L = 2'. For 
example, when tk = / = 20, our parallel version requires 51 steps, while the Fiat-Shamir 
scheme requires 11 steps (where k — 20, t = 1) to 30 steps (where k = l,t = 20), and 
the RSA scheme requires 768 steps where |n| = 512. 

When a prover uses a secret integer S satisfying I~ l = S L mod n, a verifier 
checks whether Y L ■ I E = X (mod n) holds. The computations of Y L and I E can be 
combined, i.e., according to the value of E, a verifier can repeatedly square the results 
of the intermediate calculation, or square those results multiplied by /, as appropriate. 
This improved calculation requires 3//2 steps in the verification; for example, 30 steps 
are required when / = 20. 

7. Conclusion 

Combining our scheme with the Fiat-Shamir scheme provides greater flexibility 
because three appropriate design parameters of transmitted information size, memory 
size and speed can be selected. 

The parallel version described in Section 4 is more efficient than the Fiat-Shamir 
scheme from the standpoint of transmitted information size and secret information size, 
because it corresponds to t — k = 1 in their scheme. It is about one order of magnitude 
faster than the RSA scheme and is relatively slow in comparison with the Fiat-Shamir 
scheme. Our sequential and parallel versions are also shown to have the same security 
characteristics as the Fiat-Shamir scheme. 

Finally, we conclude with an open problem relating to the security level: when 
{L,p — 1) = p' < L and at least one of conditions C1,C2,C3, and C4 is satisfied, does 
the parallel version of our identification scheme release no transferable information 
with a strict sharp-threshold security level l/p\ if there is no probabilistic polynomial 
time algorithm of factoring ? 
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Abstract 

In 1986 Fiat and Shamir exhibited zero-knowledge based identification and digital signa- 
ture schemes which require only 10 to 30 modular multiplications per party. In this paper we 
describe an improvement of this scheme which reduces the verifier's complexity to less than 2 
modular multiplications and leaves the prover's complexity unchanged. 

The new variant is particularly useful when a central computer has to verify in real time 
signed messages from thousands of remote terminals, or when the same signature has to be 
repeatedly verified. 

1. Introduction. 

Informally speaking, a digital signature is a value associated with a message which is easy 
to verify but difficult to forge. After having generated and verified it, the signature can be later 
presented to a judge since the signer cannot disown his messages. An identification scheme is a 
simplified signature scheme in which there are no messages disputes or judges: the proof of 
identity is interactive, and the verifier can either accept or reject the prover's claimed identity, 
with no legal or long-term consequences. To be useful and secure, the identification scheme 
should satisfy the following three conditions: 

1) A real verifier should accept a real prover's proof of identity with overwhelming probabil- 
ity. 

2) A real verifier should accept a cheating prover's proof of identity with negligible probabil- 
ity. 

3) A cheating verifier should not learn anything from polynomially many interactions with a 
real prover that will enable him to misrepresent himself as the prover to someone else 
with non-negligible probability. 

The best known example of a signature scheme is the RSA (Rivest, Shamir and Adle- 
man[1978]). To use it as an identification scheme, the verifier can simply ask the prover to sign 
a random test message. The original scheme requires about 750 modular multiplications per 
party, but the verifier's complexity can be reduced to a few modular multiplications by using a 
low-exponent variant. A 512 bit implementation of the RSA scheme requires 10-15 seconds on 
IBM PC's, and several minutes on smart cards. 

A faster and provably secure identification and signature scheme was proposed in Fiat and 
Shamir[19861. It is based on the zero knowledge paradigm introduced in Goldwasser Micali and 
Rackoff[1985], and more particularly on the quadratic residuosity protocol presented by Fischer 
Micali and Rackoff at Eurocrypt 84. The Fiat-Shamir protocol reduces the time and communi- 
cation complexities of the Fischer-Micali-Rackoff protocol by simultaneously proving the qua- 
dratic residuosity of many numbers, but by doing so it destroys the zero knowledge nature of 
the protocol. (The formal proof of security of the Fiat-Shamir protocol is thus based on the fact 
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that it reveals no "transferable knowledge", which is a new measure of cryptographic strength 
introduced and studied in Feige, Fiat and Shamir [1987].) 

In this paper we show how to substantially speed up the Fiat and Shamir scheme. There 
are many variants of this scheme. Our ideas speed up each single one of them. Thus below we 
confine ourselves to recall and speed up its simplest version. 

2. The original Fiat-Shamir Scheme 

Let s be a security parameter and let n be the product of two random prime numbers 
whose size is s. (Unlike the RSA scheme, it is not necessary to know the factorization of n in 
order to execute the protocol, and thus each prover can pick his own public modulus n, or use 
a universal modulus n published by a trusted center.) 

Each prover picks a secret key consisting of k random numbers s l , . . . ,s k in Z* (the 

multiplicative group mod n), computes Vj=\/sf (mod n) for j= l,...,k, and publishes V] v k 

(along with n, if it was chosen by him) in a public key directory. 

The identification scheme is based on the following protocol: 

1) The prover picks a random r in Z», and sends x = r 2 (mod n) to the verifier. 

2) The verifier sends k random bits e\,...,e k to the prover. 

3) The prover sends y=rUs' ; (mod n) to the verifier. 

4) The verifier accepts the proof iff x=y 2 riv''' (mod n). 

J 

In practice, we would accept the probability of successful misrepresentation to be at most 1 in a 
million per each attempt and thus a choice of k= 20 suffices for most applications. The key size 
(either public or private) in 512-bit implementations is about 1.3 kilobytes, and the average 
number of modular multiplications per party is about 10. The communication complexity is 
about 1000 bits per proof, but this can be almost halfed by sending a hashed version of x to 
the verifier. Other optimizations and tradeoffs can be found in Fiat and Shamir[1986]. 



To turn this interactive identification scheme into a non interactive signature scheme, it suffices 
to make e = e x , . . . ,e k to be the value of a pseudo-random function f, easy to evaluate, but 
hard to invert, at input (x,m), where m is the message to be signed. This pseudo random 
function f is universal, and its values are accessible to all the parties. The resultant signature 
generation protocol is: 

1) Choose at random r in [0 n). 

2) Compute e = f(r 2 (mod n) , m) and y = r-Xls''. 

i 

3) Send e and y as the signature of m. 

The corresponding signature verification scheme is: 

Accept the signature if syntax error file -, between lines 234 and 234 e = f (y 2 n. 

The scheme is provably secure when f is a truly random function (computed by a trusted 
call-up center) or when f is a strong pseudo-random function in the sense of Goldreich, 
Goldwasser and Micali [GGM] given to the parties in tamper-proof devices: unless factoring is 
easy, a cheater cannot forge the signature of a new message with non -negligible probability 
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even after he was given polynomially many signatures of other messages and polynomially 
many values of f at arguments of his choice. This sketched ( but formalizable) proof breaks 
down for technical reasons when the parties are given access to the algorithm of f (and not just 
to its values). However, we strongly believe that the scheme remains secure even in this case, 
provided that f does not interact badly with the modular multiplication operations. 

Since a cheater can know in advance whether a proposed signature is valid, the value of k 
in practical implementations should be at least 64. This increases the key size to about 4 kilo- 
bytes, and increases the number of modular multiplications to about 32 per party. The size of a 
signature is 576 bits, about the same as in the RSA scheme. 

3. The New Improvement 

Our improvement comes about from choosing the v,'s to be the first k prime numbers 
(v l =2,v 2 =3 ) v 3 =5, etc). The Si's will then be set to be a random square root of the correspond- 
ing v; mod n. Each prover should choose his own modulus n and use its factorization in order 
to extract these roots. (The factorization is now no longer needed and it can be erased.) The 
actual proofs of identity and signatures are generated and verified in the standard way described 
in the previous section. 

Newly arising difficulties 

Before analyzing the efficiency of this scheme, it should be noticed that we have to over- 
come some technical difficulties. In fact, not all of the v ; 's will be quadratic residues mod n. We 
overcome this technical difficulty with an appropriate perturbation technique which will be 
described in the full version of the paper. 

Gain in efficiency 

The above additional difficulties are worth dealing with. Since our choice of the v/s is 
universal, provers should only publish n as their public key. This reduces the size of the public 
key directory to 64 bytes per user, and makes it possible to use the same directory in order to 
verify our new signatures, as well as other signatures based on factoring, like the previous 
Fiat-Shamir, the RSA and the Rabin's scheme. The size of the secret key remains about 4 kilo- 
bytes, but this size is less critical since the information is stored LOCALLY rather than 
TRANSMITTED, and each user keeps only one such file. 

The main benefit of our improvement, though, is the GREATLY reduced complexity of 
verification: since most of the vj's are single-byte numbers, their product is particularly easy to 
compute as does not even require modular reductions! The only expensive operation left is the 
modular squaring of y, and thus the total complexity of verification is somewhere between 1 
and 2 modular multiplications. 

Security 

The security of the original Fiat-Shamir scheme is based on the fact that the extraction of 
square roots of random vj values is as difficult as the factorization of the modulus. This proof 
technique is not directly applicable to the new version, since the extraction of square roots of 
small primes may concievably be easier than the extraction of square roots of random numbers. 

For simplicitly sake, let us discuss only the security of the identification scheme (the sig- 
nature scheme only needs a more complex notation). The identification scheme in question is 
based on on zero-knowledge proofs. Very roughly (see Feige, Fiat and Shamir for a detailed 
discussion) this means that the proof of identity is constituted by a proof of "knowledge of 
something." n our case this "something" is not a proof of quadratic residuosity (either for a par- 
ticular prime or for all the primes) in the original language-theoretic sense of Goldwasser Micali 
and Rackoff: Since the parties execute only one round of the protocol, the prover can succeed 
with probability 1/2 even if all the primes are quadratic non-residues! Similarly, the protocol is 
not a proof of knowledge of square roots (either for a particular prime or for all the primes) as 
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in Feige Fiat and Shamir: The knowledge tape could contain the square roots of all the 400 
pairwise products of the primes, and thus a cheating prover could convince the verifier with 
probability 1/2 without actually knowing even one of the original roots. 

A CAREFUL analysis, carefully omitted in this abstract!, shows that, in our scheme, this 
"something" is the square root of the product of a subset times the inverse of another subset of 
the first 20 primes. We thus need to argue that this piece of knowledge is not easily available 
to everyone, and thus distinguishes the prover from everyone else. We already know that 
extracting square roots modulo composite numbers is as hard as integer factorization. This 
implies the following fact: 

Assume there exists an algorithm A that, on input m (a s-bit long modulus) and S (a ran- 
dom set of quadratic residues mod m whose cardinality is k), finds a square root of the 
product of a subset of S and the inverse of another subset of S in time T(s). Then, there 
exists a factoring algorithm A* that runs essentially in time 2* T(j). 

The proof of this fact, though not hard, is also postponed to the final paper. One would be 
tempted to conclude that if the "piece of knowledge" underlying our new scheme were comput- 
able in time T(s), then one could factor in one million T(s) steps an s-bit modulus, which 
would imply, as we need, that T(s) is large. This is, however, a too hasty conclusion. In fact, 
we can assume without loss of generality that the first 20 primes are quadratic residues (since 
our true scheme cops with those which are not to squares mod n), but they are NOT a random 
subset of size 20. Thus a natural question arises: is the computational difficulty of extracting 
square roots of small primes any lower than for random (quadratic) residues? The answer 
apperas to be negative. In fact, Morrison-Brillhart type methods would be substantially sped up 
if square root of small primes were easier to compute! This and other details (including a for- 
mal intractability assumption) needed to transform this discussion into a proof will be given in 
the final paper. 

Let us mention that there is a more direct way to prove the security of our scheme if one 
is willing to make an intractability assumption that is stronger than the one derivable by formal- 
izing the above argument. Informally, this stronger assumption states that factoring remains 
difficult even when one is given the square root of a small number of small primes. 

It is worth mentioning that while such an assumption is sufficient to prove the security of 
the new scheme, its being false DOES NOT imply that our scheme is insecure! In fact, even if 
a cheating verifier knows how to factor n by using the square roots of a small number of small 
primes, he is unlikely to get hold of these square roots since the schemes are the parallel ver- 
sions of zero knowledge protocols. In other words, only the real prover is likely to benefit from 
such a number-theoretic breakthrough, but he already knows this factorization! 

Remark 

This improvement of the Fiat-Shamir scheme was discovered independently by the two 
authors. Additional optimization ideas will be described in the full version of this paper. 



A Basic Theory of Public and Private Cryptosystems 



by 

Charles Rackoff 
Dept. of Computer Science 
University of Toronto 



Not since the early work of [DH], [RSA], and [GM] has there been a great 
deal of work on the basic definition of "normal" cryptography, and on what 
it means for a cryptosystem to be secure. By normal cryptogaphy, I mean 
not protocols to accomplish sophisticated goals, but merely the situation 
where party A wishes to send a message to party B over a line which is 
being tapped. Existing definitions of such a system, when they aren't too 
vague, are overly restrictive; existing definitions of security of such 
systems, when given rigorously, are usually overly liberal. In this paper 
I'll present what seem to me to be the proper definitions, give statements 
of the basic theorems I know about these definitions, and raise some very 
fundamental open questions. Most of the definitions and results appeared 
in [RJ. 

A cryptosystem looks like the following picture. 



message n-bit key 




A and B are probabilistic interacting Turing Machines. Normally, if 
there is a private key, one only allows A to talk to B, but I allow A and B 
to talk back and forth, n is called the security parameter. The intuition 
behind the (plain-text) message is that it should consist of all bits to be 
sent by the cryptosystem until the universe dies; usually this is taken to 
be some fixed polynomial in n, but I find it more pleasing to let it be 
infinite. B must output its guess at the /th bit of the message in time 
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polynomial in n and /, including the computing time of A. We also need 
some kind of "on-line" condition; a natural (although not completely 
necessary) one is that A doesn't read bit /+1 of the message until B has 
output its guess at bit /. (For convenience, assume that the time at which 
A reads bit / of the message just depends on / and n .) A and B also read an 
n -bit key. The two sensitive issues are correctness and security. My 
definition of correctness allows a small probability of error for B. 
Although most definitions don't allow for this possibility, many suggested 
cryptosystems have in fact had this feature (since "prime" numbers that 
were used might not really be prime). My definition of security is 
intended to encompass all reasonable attacks by an eavesdropper, 
including chosen plain text attack. Most definitions given in the past 
(including those discussed in [MRS]), have the property that a secure 
system can be modified to be secure according to the other definition, but 
trivially breakable using a chosen plain text attack. The reader will note 
that neither the definition of correctness nor of security assumes any 
distribution on the message space. We will always assume (unless stated 
otherwise) that a cryptosystem is correct. 

Correctness: For every c,d e N, for every sufficiently large neN, for 

every a <s{0,1}* of length nc A tries to send a message beginning with a 
and the key is randomly chosen, (and the random bits of A and B are 
randomly chosen,) then the probability that B outputs a is >1-(1//7<^). 

Security: Let L = {L i,L2,...} be a family of polynomial size "circuits". 
Actually, what Ln can do is as follows: it sees the communication between 
A and B up until the time A reads message bit 0; L n then fixes message bit 
0; Ln then sees the communication between A and B up until the time A 
reads message bit 1; Ln then fixes message bit 1; this continues up until 
some message bit / (/ determined by Ln), is chosen randomly from {0,1} 
(but not seen by Ln ); Ln then sees the communication up until the time A 
reads message bit /+"!; Ln then fixes message bit /+1; this continues until 
L n chooses to output its guess at message bit /. Let pn be the probability 
that Ln is successful at guessing this bit. Then for every d and 
sufficiently large n, p n <(1/2)+(1/n^). 

Given a definition of security, it is easy to prove many of the facts 
normally assumed in the folklore. Theorems 1 and 2 below are examples. 
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Another example is that a secure (in the sense of [GGM]) pseudo-random 
number generator implies the existence of a secure cryptosystem. Such, a 
theorem, however, is only as meaningful as the definition of security is 
good. 

In the definition of security, the listener is modeled as nonuniform 
"circuits" rather than as probabilistic algorithms. This isn't very 
important, but it makes theorems easier to prove and various things 
become cleaner. For example, with nonuniform circuits, it is not 
necessary to add probabilism to L since this would not affect the power of 
the listener. Certain other aspects of the definitions are there for 
cleanness and convenience. For example, if we had a system which was 
secure but only 3/4 correct (instead of A-{\ln<J)), the "majority" trick 
could be used to make it correct with probability exponentially close to 1 , 
and still secure. If we had a system which was correct, but only secure if 
we replaced (1/2)+(1//7rf) by 3/4, then the "exclusive-or" trick could be 
used to convert it to one which is secure (although not, as far as we know, 
"exponentially close to 1/2" secure), and still correct. 

If the key, instead of being chosen randomly, is chosen to be 0 n , then I 
call the system a public cryptosystem. Presumably, when people talk 
about a secure "key exchange protocol", what they mean is a public 
cryptosystem which is secure for sending (say) n message bits; these bits 
can be sent as a single block (rather than one bit at a time), possibly 
speeding things up by a factor of n, but the question of the existence of 
such a protocol appears to be equivalent to the question of the existence 
of a secure public cryptosystem. Theorem 1 shows that the open question 
about the existence of secure public cryptography can be formulated as a 
question of sending only 1 message bit securely. If A only sends to B, the 
system is called "1-pass"; if B sends to A and then A sends to B, the 
system is called "2-pass"; "/-passes" is defined in the obvious way. A 2- 
pass public system is what is often called a "public key cryptosystem", 
where the string sent by B is called the "public key". Theorem 2 is part of 
the basis of "public key cryptography". 

Theorem 1: Let (A,B) be a public cryptosystem in which the first message 
bit is sent securely. Then a secure public cryptosystem (for all the bits) 
can be obtained by independently running (A,B) on each of the message 
bits (that is, each time, A and B start over and choose new random bits). 
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Theorem 2: Let {A,B) be a 2-pass public cryptosystem in which the first 
message bit is sent securely. Then a secure (for all the bits) 2-pass 
public cryptosystem can be obtained by running B once to see the string B 
that B would send; then run A independently on each of the message bits, 
where each time A uses new random bits, but the same string 13 fom B. 

Theorem 3 is the analogue of Theorem 1 for (private) cryptosystems. 

Theorem 3: Let (A,B) be a (private) cryptosystem in which the first n+1 
message bits are sent securely, where n is the security parameter. Then a 
secure (for all the bits) cryptosystem can be obtained as follows: say that 
ceo is the key and that the message is bobib2... ; A generates random n -bit 
strings cci,a2,... ; {A,B) is run with key ao on the n+1-bit message aibo, 
then (A,B) is run with key ai on the n+1 bit message ct2bi, etc. Note that 
if (A,B) is 1-pass, then so is the new cryptosystem. However, the new 
cryptosystem will be probabilistic, even if A and B are deterministic. 

Open Questions: Can it help to have more than 1 pass in a (private) 
cryptosystem? Can it help to have more than 2 passes in a public 
cryptosystem? Can it help to have more than 3 passes in a public 
cryptosystem? For each question, either prove a negative answer, or give 
a convincing example where the extra passes appear to help. 

It is interesting to note that there are settings, other than those 
discussed here, where one can either prove or give good evidence that 
extra interaction helps. An interesting example, of relevance to 
cryptography, appears in [BBR], 

Theorem 5 below shows that at the moment, our ability to prove 
security of cryptosystems is severely limited. It is known that with a 
one-time pad, one can sent n message bits securely with an n-bit random 
key. If P=NP, which we are unable to disprove, then this is essentially the 
best we can do. Theorem 5 can be proven by observing that in the proof of 
Theorem 4, all the listener had to be able to do was "approximate 
counting"; this task is in the polynomial time hierarchy by a result of [St] 
and [Si]. Theorem 5, at least in the case g{n)=0, has also been observed by 
other people. A version of theorem 4 was first prove by Shannon [Sh]. 
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Theorem 4: If we remove the polynomial time restriction on the 
listener, then there is no secure cryptosystem. In fact, a stronger result 
can be proved. Let g be a function such that g(n) is computable in time 
polynomial in n, and 0<g(n)<n . Then there is no cryptosystem which sends 
g(n)+1 bits securely (against an unrestricted time listener) if only the 
first g{n) bits of the key are chosen randomly (and the rest are fixed, say, 
to be 0). 

Theorem 5: If P=NP, then for g as in Theorem 4, even if the listener is 
restricted to polynomial time, there is no cryptosystem which sends 
g (r?)+1 securely if only the first g(n) bits of the key are chosen randomly. 

Probably the most important open issue in all of cryptography 
concerns the conjectures can be used to prove the existence of secure 
cryptosystems. The asumption P*NP is certainly necessary, but probably 
not sufficient. The only natural assumptions currently in use relate to the 
difficulty of integer factorization or discrete log. One possible thing to 
search for is a "complete" cryptosystem 9i: one whose insecurity would 
imply the insecurity of every other system 9T . Using ideas of Levin, such a 
system can be constructed by a kind of diagonalization. Such a "complete" 
system can also be constructed for the class of 1-pass cryptosystems, for 
the class of public cryptosystems, and for the class of 2-pass public 
cryptosystems. I will not define this notion of "complete" precisely, since 
in any case, it has the following problem: the time to break 9T, given an 
oracle for breaking 9t, requires time only polynomial in n, but exponential 
in the size of the description of 9T. 

Open Question: Is there a cryptosystem whose security problem is 
"complete" in an appropriate sense? 

Lastly, I'd like to point out what I have not talked about here. I 
haven't discussed the scenerio where there is a group of mutually 
distrusting people, each pair of which wishes to communicate in the 
presence of a listener. Although many soulutions to this (and more 
complicated) problems have been proposed, I have seen no rigorous 
definition of this scenerio, let alone any definition of what security would 
mean in such a setting. Of course, there are related subproblems which 
have been rigorously studied: examples are signature schemes ([GMR]) and 
the problems studied in this paper. But it appears to be very difficult to 
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talk about the more complicated situation, and it can be very dangerous to 
think that security can necessarily be understood in terms of security in 
simpler situations. For example [GMT] point out that if a secure 2-pass 
public cryptosystem is used in the obvious way to create a "public key 
network of users", the result might wind up being insecure. 

The difficulties involved in understanding the relatively simple 
situation discussed in this paper imply that one must approach the more 
complicated (and realistic) situations very slowly and with a great deal of 
care. 
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Abstract 



The relevance of zero knowledge to cryptography has become apparent in the 
recent years. In this paper we advance this theory by showing that interaction in 
any zero- knowledge proof can be replaced by sharing a common, short, random 
string. This advance finds immediate application in the construction of the first 
public-key cryptosystem secure against chosen ciphertext attack. 

Our solution, though not yet practical, is of theoretical significance, since 
the existence of cryptosystems secure against chosen ciphertext attack has been 
a famous long-standing open problem in the field. 

1 Introduction 

Recently [GMR] have shown that it is possible to prove that some theorems are true 
without giving the slightest hint of why this is so. This is rigorously formalized in 
the somewhat paradoxical notion of a zero-knowledge proof system. 

If secure encryption schemes exist, though, these proof systems are far from being 
a rare and bizar event. In fact, under this assumption, [GMW] demonstrate that any 
language in NP possesses zero-knowledge proof systems. 
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Actually, as recently pointed out by Impagliazzo [I] and Ben-Or, Goldreich, Gold- 
wasser, Hastad, Kilian, Micali and Rogaway [BGGHKMR], the same is true for all 
languages in IP; also, as pointed out by Blum [B2], any theorem at all admits a proof 
that conveys zero-knowledge other than betraying its own length. 

Zero-knowledge proofs have proven very useful both in complexity theory and in 
cryptography. For instance, in complexity theory, via results of fortnow [F] and Bop- 
pana and Hastad [BH], zero-knowledge provides us an avenue to convince ourselves 
that certain languages are not NP-complete. In cryptography, zero-knowledge proofs 
have played a major role in the recently proven completeness theorem for protocols 
with honest majority [GMW2]. They also have inspired rigorously-analyzed identifi- 
cation schemes that are as efficient [FFS] and even more efficient [MS] than folklore 
ones. 

Despite its wide applicability, zero-knowledge remains an intriguing notion: What 
makes zero-knowledge proofs work? 

Three main features differentiate all known zero-knowledge proof systems from 
more traditional ones: 

1. Interaction: The prover and the verifier talk back and forth 

2. Hidden Randomization: The verifier tosses coins that are hidden from the prover 
and thus unpredictable to him. 

3. Computational Difficulty: The prover imbeds in his proofs the computational 
difficulty of some other problem. 

At a first glance, all of these ingredients appear to be necessary. This paper makes 
a first, important step in distilling what is essential in a zero-knowledge proof. We 
show that computational difficulty alone (for instance the hardness of distinguish- 
ing products of 2 primes from products of 3 primes) may make inessential the first 
resource (interaction) and and eliminate the secrecy of the second resource (random- 
ness). That is, if the prover and the verifier share a common random string, the prover 
can non-interactively and yet in zero- knowledge convince the verifier of the validity 
of any theorem he may discover. A bit more precisely, for any constants c and d, 
sharing a fc-bit long random string allows a prover P to prove in zero-knowledge to a 
poly(k)-time verifier V any k c theorems of k d size non-interactively; that is, without 
ever reading any message £from V. 

A Conceptual Scenario: Think of P and V as two mathematicians. After 
having played "heads and tails" for a while, or having both witnessed the same 
random event, P leaves for a long trip along the world, during which he continues his 
mathematical investigations, whenever he discovers a theorem, he writes a postcard 
to v proving the validity of his new theorem in zero-knowledge. Notice that this is 
necessarily a non-interactive process; better said, it is a mono- directional interaction: 
From P to V only, in fact, even if V would like to answer or talk to P, he couldn't: P 
has no fixed (or predictable) address and will move away before any mail can reach 
him. 
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1.1 Our Model Versus the Old One 

While the definition of zero- knowledge remains unchanged, the mechanics of the com- 
putation of the prover and verifier changes dramatically. 

Notice that sharing a random string a is a weaker requirement than being able to 
interact. In fact, if P and V could interact they would be able to construct a common 
random string by coin tossing over the phone [Bl]; the converse, however, is not true. 

Also notice that sharing a common random string is a requirement even weaker 
than having both parties access a random beacon in the rabin's sense (e.g. - perhaps! - 
the same geiger counter). In this latter case, in fact, all made coin tosses would be seen 
by the prover, but the future ones would still be unpredictable to him. by contrast, our 
model allows the prover to see in advance all the coin tosses of the verifier. That is the 
zero-knowledgeness of our proofs does not depend on the secrecy, or unpredictability 
of <r, but on the "well mixedness" of its bits! This curious property makes our result 
potentially applicable. For instance, all libraries in the country possess identical 
copies of the random tables prepared by the rand corporation. Thus, we may think of 
ourselves as being already in the scenario needed for non- interactive zero-knowledge 
proofs. 

1.2 The Robustness of Our Result 

As we have already said, we guarantee that all theorems proved in our proof systems 
are correct and zero-knowledge if the string cr is a truly random one. We may rightly 
ask what would happen if a was not, in fact, truly randomly selected, fortunately, the 
poor randomness of a may upset the zero-knowledgeness of our theorems, but not their 
correctness. That is, for almost all (poorly random) cr's, there is no wrong statement 
that can be accepted by the verifier. This is indeed an important property as we can 
never be sure of the quality of our natural sources of randomness. Unfortunately, due 
to the limitations of an extended abstract, we cannot further elaborate on this and 
similar points. We wish, however, to point out the following important corollary of 
our result. 

1.3 Applications of our Result 

A very noticeable application of non- interactive zero-knowledge is the construction 
of encryption schemes a la DifRe and Hellman that are secure against chosen cipher- 
text attacks. Whether such schemes existed has been a fundamenatal open problem 
ever since the appearence of complexity-based cryptography. We will discuss this 
application in Section 3. 

1.4 What's Coming 

The next section is devoted to set up our notation, recall some elementary facts from 
Number Theory and state the complexity assumption which sumcies to show the 
existence of non-interactive, zero-knowledge proofs. 
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In Section 3, we show the "single-theorem" case. That is, we show that if a A; 4 -bit 
string a is randomly selected and given to both the proven and the verifier, then the 
first can prove, for any single string x (of length k) belonging to a NP-language L, that 
indeed x 6 L; the proof will be a zero-knowledge one for whenever x is independent 
of a. 

In the final paper [BDFMP], we will show the "many- theorems" case. Namely, 
that for each fixed polynomial Q(-), using the same randomly chosen & 4 -bit string, 
the prover can show in zero-knowledge membership in NP languages for any Q(k) 
strings of length Q(k). 

The complexity assumption under which the result holds is the computational 
difficulty of deciding quadratic residuosity. 

We would like to point out that the proof of the many- theorems result in the 
earlier versions of [BFM] and [DMP] contained a gap: it required, over than the stated 
number theoretic assumptions, a stronger property about pseudo-random generators. 
This stronger property is not needed in the final paper. 

2 Preliminaries 

2.1 Notations and Conventions 

Let us quickly recall the standard notation of [GoMiRi]. 

We emphasize the number of inputs received by an algorithm as follows. If al- 
gorithm a receives only one input we write "A(-) n , if it receives two inputs we write 
"A(-,-)" and so on. 

If A(-) is a probabilistic algorithm, then for any input x, the notation A(x) refers 
to the probability space that assigns to the string a the probability that A, on input 
x, outputs a. If 5 is a probability space, then PRs{e) denotes the probability that 
S associates with the element e. 

If /(■) and <?(-, ...,•) are probabilistic algorithms then /(</(•, •••,•)) * s the proba- 
bilistic algorithm obtained by composing / and g (i.e. running / on ^'s output). For 
any inputs x,y, . . . the associated probability space is denoted by f(g(x, y, . . .)). 

If 5 is any probability space, then x <— S denotes the algorithm which assigns 
to x an element randomly selected according to S. If / is a finite set, then the 
notations; *— f denotes the algorithm which assigns to x an element selected according 
to the probability space whose sample space is / and uniform probability distribution 
on the sample points. 

The notation Pr(x *— S;y <— T; . . . :p(x, y, ..)) denotes the probability that the 
predicate p(x, y, . . .) will be true after the ordered execution of the algorithms x <— 
S,y*-T,... 

The notation {x *— S;y <— T; . . . : (x, y, . . .)} denotes the probability space over 
{(x,y, . . .)} generated by the ordered execution of the algorithms x <— 5, y <— T, — 

Let us recall the basic definitions of [GMR]. We address the reader to the original 
paper for motivation, interpretation and justification of these definitions. 
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Let U = {U(x)} be a family of random variables taking values in {0, 1}*, with the 
parameter x ranging in {0, 1}*. U — {U(x)} is called poly-bounded family of random 
variables, if, for some constant e € \, all random variables U(x) € u assign positive 
probability only to strings whose length is exactly |x| e . 

Let C = {C x } be a poly-size family of boolean circuits, that is, for some constants 
c, d > 0, all C x have one boolean output and at most |i| c gates and \x\ d inputs. In 
the following, when we say that a random string, chosen according to U(x), where 
{U(x)} is a poly-bounded family of random variables, is given as input to C x , we 
assume that the length of the strings that are assigned positive probability by U(x) 
equals the number of boolean inputs of C x . 

Definition 2.1 (Indistinguishability) . Let L C {0, 1}* be a language. Two poly- 
bounded families of random variables U = {U(x)} and V — {V(x)} are indistinguish- 
able on L if for all poly-size families of circuits C = {C x }, 



Pr{A <- U{x) : C x {a) = 1) - 
Pr(a «- V(x) : C x {a) = 1) < \x\ c 

For all positive constants c and sufficiently large x £ L. 

Definition 2.2 (Approximability) . Let L C {0, 1}* be a language, a family 
of random variables U = {U(x)} is approximable on L if there exists a probabilistic 
turing machine M , running in expected polynomial time, such that the families {C/(x)} 
and {M(x)} are indistinguishable on L. 



2.2 Number Theory 

Let Z 3 (k) denote the set of integers product of s > 1 distinct primes of length k. 

Let N be the set of the natural numbers, x € N, Z* = {y | 1 < y < x, gcd(x, y) = 
1 } and Z x x = {y £ Z x \(y \ x) = +1}, where (y \ x) is the jacobi symbol. We say that 
y £ Z* is a quadratic residue modulo x iff there is w € Z* such that w 2 = y mod x. 
If this is not the case we call w a quadratic non residue modulo x. 

Define the quadratic residuosity predicate to be 

0, if y is a quadratic residue modulo x; 



Qx ^ ~ I 1, otherwise; 
and the languages QR and QNR as 

QR={(y,x)\Q r (y) = 0} 

QNR = {(y,x)\y € Z+ 1 and Q x (y) = 1}. 



261 



Fact 1: Let ~ be the relation so denned: j/j ~ y% iff Q x {y\yi) — 0- Then ~ is 
an equivalence relation in Z* 1 . Two elements are equivalents if they have the same 
quadratic character modulo each of the prime divisors of x. Thus, if x 6 Z 2 (k) there 
are 2 equivalence classes, if x € Z^{k) there are 4; in general if x = p^ 1 ■ • • ,p n n where 
each p.- is a prime > 2 and p; ^ p< if i ^ j, then there are 2 n equivalence classes. 
Fact 2: For each 1/1,1/2 € one has 

Q x (yiV2) = QM © QM- 

Fact 3: Where denotes the exclusive or operator, the jacobi symbol function 
x\n is polynomial-time computable. 

We now formalize the complexity assumption that is sufficient for non-interactive 
zero-knowledge. Namely, that it is computationally hard to distinguish the integers 
product of 2 primes leftarrow the ones product of 3 primes. 

2.3 A Complexity Assumption 

20R3A: for each poly-size family of circuits {C k \k € N} 

\Pz 2 (k) - Pz 3 (k)\ < k~ c 
for all positive constants c and sufficiently large k\ where 

Pz*(k) = Pr{x «- Z 2 {k) : C k {x) = 1) and 
Pz 3 (k) = Pr(x «- Z 3 (k) : C k (x) = 1). 

20R3A is a stronger assumption than assuming that deciding quadratic residu- 
osity is hard. (Having an oracle for Q n (-), allows one to prbabilistically count the 
number of ~ equivalence in Z„ l and thus, by fact 1, to distinguish whether n G Zi{k) 
or n € Z${k)). Thus we can freely use that quadratic residuosity is computationally 
hard (as formalized below) without increasing our assumption set. 

Quadratic Residuosity Assumption(QRA): 

For each poly-size family of circuits {Cfc | k € A r }, 

Pr(x +- Z 2 (k);y - Z+ 1 : C k {x, y) = Q T (y)) 

< i/2 + i/r°w. 

The QRA was introduced in [GM] and is now widely used in Cryptography. The 
current fastest algorithm to compute Q x (y) is to first factor x and then compute 
Qx(y), while it is well known that, given the factorization of x, Q x {y) can be computed 
in 0(|x| 3 ) steps. In what follows, we choose x € Z 2 {k) since these integers constitute 
the hardest input for any known factoring algorithm. 
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3 Single-Theorem Non- Interactive Zero-Knowledge Proofs 

To prove the existence of single- theorem Non-Interactive Zero- Knowledge Proof Sys- 
tems (single-theorem non- interactive ZKPS) for all NP languages, it is enough to 
prove it for 3COL the NP-complete language of the 3-colorable graphs [GJ]. For 
k > 0, we define the language 3COL k = {x € ZCOL \ \x\ < k}. 

Definition 3.1 . A Single-Theorem Non-Interactive ZKPS is a pair (A,B) where 
A (the Prover) is a Probabilistic Turing Machine and J5(-, •, •) (the Verifier) is a 
deterministic algorithm running in time polynomial in the length of its first input, 
such that: 

1. Completeness. (The probability of succeeding in proving a true theorem is 
overwhelming. ) 

3c> 0 such that Vx £ ZCOL k 



Pr{er «- {0, 1}"'; y «- A(o, x) : 
B{x,y,<r) = 1) > 

2. Soundness. (The probability of succeeding in proving a false theorem is neg- 
ligible.) 

3c > 0 such that Vx £ ZCOLk and for each Probabilistic Turing Machine A' 

Pr(o-*-{Q,l} nC ]y ^A'{o,x): 
B(x,y,<r) = 1) < n-°W. 

3. Zero-Knowledge. (The proof gives no information but the validity of the 
theorem.) 

3c > 0 such that the family of random variables V — {V(x)} is approximable 
overZCOL. Where 

V(x) = {o~ < {0,l}W e ;y «- A{a,x):(a,y)}, 

Remark: Notice that, as usual, the zero-knowledge condition guarantees that 
the verifier's view can be well simulated; that is, all the verifier may see can be 
reconstructed with essentially the same odds. In our scenario, what the verifier sees 
is only the common random string and the proof, i.e., the string, received by A. 
Notice that in our scenario, the definition of zero-knowledge is simpler. As there is 
no interaction between B and A, we do not have to worry about possible cheating 
by the verifier to obtain a "more interesting view." That is, we can eliminate the 
quantification u Vi?'" from the original definition of [GMR]. 
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Theorem 3.1 . Under the QRA, there exists a Single-Theorem Non-Interactive 
ZKPS for 3-COL. 

This theorem will be rigorously proven in the final paper. Here we restrict our- 
selves to informally describe the programs P and V of a single-theorem non-interactive 
ZKPS (P,V) and, even more informally, to argue that they posses the desired prop- 
erties. 

3.1 The Proof System (P,V) 
Instructions for P 

1. Randomly select ni,n 2 ,n 3 G Z 2 (k) 

2. For i — 1,2,3 randomly select g,- such that (g,|n;) = 1 and q { is a quadratic 
non-residue mod n,-. 

3. Color G with colors 1,2,3. 

4. For each node v of G whose color is i, label v with a randomly selected triplet 
(wi, vi, va) € Z+ 1 x Z+ 1 x Z+ 1 such that Q B (u,-) = 0 and Q nj (vj) = 1 for j ^ i. 
Call G' the so labeled G 

{Remark 1: WLOG (else purge a in the "right way") let a = oxOG 2 oo- 3 ocr A , • • • , 
where all triplets (oi, ct 2 , cf 3 )(o- a , <t s , <t 6 ), • • • belong to Z+ 1 x Z+ 1 x .} 

{Convention: The first 8A; triplets are assigned to the first edge of G (in the 
lexicographic order), the next 8A; triplets to the second edge, and so on.} 

5. For each edge (a, b) of G' (where node a has label (ai,a 2 ,a 3 ) and node b 
(bi, 621^3)) and each of its 8A; assigned triplets (zi,z 2 ,Z3) compute one of the 
following types of signature. 

(Comment: Only one is applicable if steps 1-4 are performed correctly)} 



{y/zi, y/zi) type 0 

(y/qiZl, y/z~2, y/Z3) type 1 

(■v/^i, V92Z2, y/zT) ■ type 2 

{y /*i,y/ z\, yfizzi) type 3 

{y/a-izi, yj°-*z 2 , yja z z z ) type 4 

(v /6 1 ^ 1 ,-y/ 6 2 Z2,y6^ 3 ) type 5 
( v^iMi, y/a 2 b 2 z 2 , -1/036323) type 6 

( v^i^i, y/qiZ2, \/93^3) type 7 



{Notation "by example": Let z x be a quadratic non residue mod n x , z 2 a 
quadratic residue mod n 2 , and z 3 is a quadratic residue mod n 2 . Then the 
signature of the triplet (zi,z 2 , z 3 ) a triplet of type 1: {y/qTzi, y/z~2, \fz~z) where 
y/qzi denotes a randomly selected square root of the quadratic residue q\ • z x 
mod ni; and for i = 2, 3 y/zj denotes a randomly selected square root of z,- mod 
n,} 
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6. Send V rii , n 2 , n 3 , q\, q 2 , 93, G', and the signature of the triplets composing cr. 

{Comment: Note that the edges of G' are labelled with triples, not with 
colors!} 

Instructions for V 

1. Verify that ni,n2, and n 3 are not even and not integer powers. Verify that G' 
is a proper labelling of G. That is, each node v has assigned a triplet (v\, v 2 , v 3 ) 
such that Vi € Z+ 1 for i = 1, 2, 3. 

2. Break cr into triplets, verify that for each edge you received a signature of some 
type for each of its 8k triplets. 

3. If all the above verifications have been successfully made, accept that G is 
3- colorable. 

3.2 A Rough Idea of why (P,V) is a Single-Theorem Non- 
Interactive ZKPS 

First notice that the communication is mono-directional: From P to V. Then let 
us convince ourselves that the statement of Remark 1 really holds without loss of 
generality. In our context, WLOG means with overwhelming probability. 

If G has a edges, our protocol assumes a to consist of 8 • k ■ a triplets in x 
Z+ 1 x Z+j 1 . Such a string a is easily obtainable from a (not too much larger) random 
string p. Consider p to be the concatentation of fc-bit strings grouped into triplets 

P = {pu P2, P3)(P4, Ps, Pa) • ■ ■ 

Then obtain a by "purging" p. That is, obtain a from p by discarding all triplets 
not in Z^ x Z+ 1 x Z£*. We now argue that p is not much longer than cr. Let n 
be either n x or n 2 or n 3 . Now a random fc-bit integer (with possible leading O's) is 
less than n with probability > ~; a random integer less than n belongs to Z* with 
probability > |; a random element of Z* belongs to Z+ 1 with probability > \. Thus, 
we expect that at least 1 in 64 of the triplets of p not to be discarded. 

Now let us consider the question of V's running time. V can verify in poly-time 
whether = x a (where x, a integers; a > 1) as only values 1,- •• ,logn; should be 
tried for o; and binary search can be performed for finding x, if it exists. All other 
steps of V are even easier. 

Now let us give some indication that (P,V) constitute a single-theorem non- 
interactive ZKPS. 

Completeness: Assuming that cr is already consiting of triplets in Z+ 1 x Z+ 1 x 
Z+ 1 , if P operates correctly, V will be satisfied with probability 1 . 

Soundness: If the verification step 1 is successfully passed, by fact 1, there must 
be > 2 ~ equivalence classes in each (exactly two if P honestly chooses all the 
n,'s in Z 2 (k)). 



265 



Thus, if we define two of our triplets (zi,^!^) (wi,W2,w 3 ) to be equivalent if 
2;u>,mod rii is a quadratic residue for i = 1,2,3, we obtain > 8 equivalence classes 
among the triplets (exactly 8 if P is honest). 

To exhibit a signature of a given type for a triplet, essentially means to put the 
triplet in one out of < 8 possible "drawers", (there are 8 types of signatues, but they 
may not be mutually exclusive; thus two drawers may be equal). Moreover, it is easy 
to see that if two triplets are put in the same drawer, they must belong to the same 
equivalence class. 

As <7 is randomly selected, each of its triplets in Z+ 1 x Z+f x Z+ 1 is equally likely 
to belong to any of the > 8 equally-numerous equivalence classes. However, since if 
there were > 8 classes, there would be (by fact 1) at least 16, the fact that all triplets 
can be fit in < 8 drawers, "probabilistically proves" several facts: 

1. There are exactly 8 equivalence classes among the triplets and exactly 8 distinct 
drawers . 

2. The rij's are product of two distinct prime powers. 

3- Qn 1 (<ll) = Qni(<l2) = QnM = l 

That is, (ai,a 2 ,a 3 ) is a proper color (i.e., properly encodes a color: Either 1,2, 
or 3). 

5. That (&i, 62,63) is a proper color. 

6. That (a l5 a 2 , 03) and (61, 62, 63) are different colors. Else drawer 6 and drawer 0 
would be the same. 

Item 6 being true for all edges in G' implies that G is 3-colorable which is what 
was to be proven. 

Zero-Knowledgeness 

Let us specify the simulating machine M that, under the QRA, generates a pair 
(cr, proof) with the "right odds" on input G (without any coloring!) 

Instructions for M 

1. Randomly select n 1 ,n 2 ,n 3 , € Z 2 (fc) together with their prime factorization. 

2. Randomly select qi,q 2 ,?3 so that Q ni {qi) = Q^fa) = <3n 3 (?3) = 0 

3. For each node v of G, label v with a triplet (1^1,^2,^3) € Z" nx x Z* 2 x Z* 3 such 
that Q Nl (v-i) = Qmiv?) = Qn 3 (v 3 ) = 0. Call G' the so labelled graph. 

4. Construct a = (o"i, f 2 , <7 3 )(o- 4 , cr 5 , <7 6 ) • • • , such that each triplet (o" 3 j + i, <r 3j+2 , <7 37+3 ) 
is randomly selected so that Q nj (e% +1 ) = 0 for i = 1,2,3. 

{Remark: Also in the simulation we only deal with already "purged strings". 
It is not hard to see that M could also handle generating "unpurged strings".} 
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5. For each edge (a, b) of G' and each of its assigned 8k triplets (zi,z 2 , 23), choose 
an integer i at random between 0 and 7, and compute a signature of type i. 

{Comment: By using the prime factorization of the n,-.} 

6. Output (j, m, ti2, n 3 , q x , <j 2 , q 3 , G' , and the computed signatures. 

We now informally argue that M is a good simulator for the view of V. Essentially, 
this is so because efficiently detecting that the triplets of a are not randomly and 
independently drawn from the space Z+ t l x x is tantamount as violating 
the QRA (to be explained in the final paper). For the same reason, it cannot be 
detected efficiently that G' is an illegal labelling or that gi,<?2, ?3 are squares mod, 
respectively, n 1; n 2 , n 3 . Given that, the distribution of the various types of signature 
looks "perfect". 

{Remark: the reader is encouraged to verify that if (P,V) uses part of the used 
a to show that another graph is 3-colorable, then extra knowledge would leek. For 
instance that there exists 3- coloring of G and H in which nodes v\ and v 2 in H 
respectively have the same clolors as nodes Wi and w 2 in G.) 

4 Security Against Chosen Ciphertext Attack 

One of the most beautiful gifts of complexity-based cryptography is the notion of a 
public-key cryptosystem. As proposed by Dime and Hellman [DH], each user U pub- 
licizes a string Pu and keeps secret an associated string Sy. Another user, to secretely 
send a message m to U, computes y = E(Pu,m) and sends y; upon receiving y, U 
retrieves m by computing D(Su, y)] here E and D are polynomial-time algorithms 
chosen so that it will be infeasible, for any other user, to compute m from y. 

Notice that in this set-up any other user is thought to be a "passive" adversary 
who tries to retrieve m by computing solely on inputs y and Pu- This is indeed 
a mild type of adversary and other types of attacks have been considered in the 
literature. It is widely believed that the strongest type of attack among all the 
natural ones is the chosen-ciphertext attack. In such an attack, someone tries to 
break the system by asking and receiving decryptions of ciphertexts of his choices. 
Rivest has shown that Rabin's scheme (whose breaking is, for a passive adversary, as 
hard as factoring if the messages are uniformity selected strings of a given length) is 
easily vulnerable to such an attack. Indeed, this is an attack feasible to any employee 
who works at the decoding equipment of, say, a large bank. The power by this 
attack is very well exemplified by an elegant scheme of Rabin [R] that is as secure 
as factoring (if the messages are uniformily selected strings of a given length) in 
the passive adversary model but is easily broken by chosen-ciphertext attack. Since 
observing this phenomenon, people tried to design cryptosystems invulnerable to 
such attacks, but in vain. A positive answer has been found [GMT] only allowing 
interaction, during the encryption process, between legal sender and legal receiver. 
However, for the standard (non-interactive) Dime- and- Hellman model, the existence 
of a cryptosystem invulnerable to chosen ciphertext attack has been an open problem 
since 1978. 



267 



Non-interactive zero- knowledge proofs allow us to finally solve this problem. The 
essence of our solution (instead of its details) is informally described as follows. In- 
stead of sending U an encryption, y, of a message m, one is required to send two 
strings: y and and cr, where a is a zero-knowledge and non-interactive proof that the 
sender knows the decoding ofy. The "decoding equipment" (read: the decoding func- 
tion) checks that a is convincing and, if so, outputs m, the decoding of y; Otherwise, 
it outputs nothing. Notice that, now, being able to use the decoding equipment prov- 
ably is of no advantage! In fact, only when we feed it with ciphertexts whose decoding 
we can prove we know, does the decoding equipment output these decodings! In other 
words, the decoding equipment can only be used to output what we already know. A 
detailed discussion of this powerful application will appear in the final paper. 

(A formal setting and the proof require some care. For instance, the decoding 
equipment may be used as an oracle to check whether a given string a is a "correct 
proof of knowledge". Thus, in particular, one should prove that such an oracle cannot 
help. In the final paper we will essentially show that if one can generate a legal (y, cr) 
pair without having m as an input, then one can easily decrypt all messages on input 
y and Py only.) 
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Abstract 

Non-Interactive Zero- Knowledge Proof Systems have been proven to exist 
under a specific complexity assumption; namely, under the Quadratic Residu- 
osity Assumption which gives rise to a specific secure probabilistic encryption 
scheme. 

In this paper we prove that the existence of any secure probabilistic en- 
cryption scheme, actually any one-way encryption scheme, is enough for Non- 
Interactive Zero- Knowledge in a modified model. That is, we show that the 
ability to prove a randomly chosen theorem allows to subsequently prove non- 
interactively and in Zero-Knowledge any smaller size theorem whose proof is 
discovered. 

A quick and dirty exposition of our results 

The one-time pad is a well-known cipher system which achieves perfect security in 
the Shannon sense [Sh]. This system can be described as consisting of two stages: 

1. Preprocessing stage. A and B interact for a while to agree on a common n-bit 
random string r. 

2. Communication stage. A encrypts an n-bit plaintext by xoring it with the 
string r, and sends the ciphertext to B. 

Notice that the communication stage is unidirectional: A sends the message to 
B, that need not to reply. 
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di Salerno, 84100 Salerno, Italy. 
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The string r does not depend on the communication stage. When A and B 
agree on r, they have no idea on the message that A will send B later. 

The advantage of this system is that it is the most secure cipher system that 
exists. Only B can decrypt the ciphertext, because he knows the string r. The ci- 
phertext does not give any information to an eavesdropper, no matter how powerful 
he is. Indeed an eavesdropper has the same amount of information, in the Shannon 
sense, on the plaintext both before and after seeing the ciphertext. 

This system has two drawbacks: 

1. A and B have to meet beforehand in order to share the random string. 

2. the length of the string r generated in the preprocessing stage hounds the 
length of the message that A can send to B in the communication stage. 
Indeed if the same string r is used again to send other messages, then an 
eavesdropper will obtain some information. 

In this paper we present the notion of Non-Interactive Zero-Knowledge Proof- 
System with Preprocessing that constitutes the equivalent of one-time pad for Non- 
Interactive Zero-Knowledge Proof Systems. 

Also Non-Interactive Zero-Knowledge Proof-Systems with Preprocessing have a 
preprocessing stage and a communication stage: 

T. Preprocessing stage. A, the prover, chooses an n-bit theorem To and proves 
interactively and in zero-knowledge to B, the verifier, that T 0 is true. 

2. Communication stage. A proves to B any NP theorem of length not bigger 
than n c , for some fixed positive constant c < 1. This proof is unidirectional 
(from A to B) and zero-knowledge (B does not get any additional knowledge 
of the theorem proved, but its validity). 

Like in the one-time pad case, in which, when A and B interact in the preprocessing 
stage, they have no idea on the message that A will send later to B, also in our 
proof system A and B have no idea, when they interact in the preprocessing stage, 
on the theorem that A will later prove to B. 

The advantage of this system is analogous to that of the one-time pad case. We 
get maximum security for the system. B does not get from the proof that receives 
from A any additional knowledge on the theorem but its validity. We only require 
that a one-way encryption scheme exists. 

This system has the same two drawbacks of the one-time pad system: 

1. A and B have to meet beforehand. 

2. the length of the theorem T 0 bounds the length of the theorems that A can 
prove to B in the communication stage. Indeed if the same string T 0 is used 
again to prove non-interactively other theorems, then B will get some infor- 
mation. 
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Now we give a sketch of our protocol. To prove the existence of a Non- Interactive 
Zero- Knowledge Proof-System with Preprocessing for any NP language it is enough 
to prove it for the language of the 3-satisfiable formulae (3SAT). The following is 
an example of a formula in 3SAT: 

(i«3 V u 2 V Ui) A (u 6 VH 2 V Ui) A A (u 7 V u 3 V u 4 ) 

It consists of literals (ui, Hi, U2,u 2 ...) and clauses ((U3VU2 Vili), (u 6 V u 2 V Hi),..., 
(u T v"u 3 V u 4 )) Each clause contains exactly three literals. The formula is satisfiable 
iff there is an assignment of boolean values {T, F} (or, equivalently, {1,0}) to the 
literals such that the formula is true, that is there is at least one literal true for 
each clause. 

Now, suppose that A wants to prove to B that a particular formula, of which 
he knows a satisfying assignment t, is satisfiable. A associates to each literal u 
an encryption of 1 if t(u) = T or an encryption of 0 if t(u) = F. Each literal is 
associated with only one encryption, even if it appears in several clauses. In this 
way a triple of encryptions has been naturally associated to each clause. 

To prove that the formula is true it is enough to show that each clause is satisfi- 
able, i.e. that each of the triplets of encryptions associated to the clauses contains 
at least an encryption of 1, since this corresponds to a literal with a true value in 
the clause. All the interaction required for this task is squeezed in the preprocessing 
stage. 

Here is a sketch of our protocol. 

Preprocessing stage. A randomly chooses 3n complementary bits £>; and 6; = 
1 — bi. For example, (1,0), (1,0), (0,1),.... A keeps secret these bits, and will never 
show them to B. These bits represent boolean values (1 stands for True, 0 for 
False). 

Then, using a one-way encryption scheme, A computes an encryption of each 
bit (<*!,/?!), (a 2 ,/3 2 ), (0:3, #3),- 

For each triple formed by 3 of the encryptions in the set {a x , /3j, a 2 , 02, Q 3> Pz, •••}> 
A encrypts the bit that is the or of the bits encrypted by the triple. For instance, if 
(0:3, 0:25 0\) are the encryptions of (1,0,0) then A computes an encryption 7 of the 
bit 1 = 1 V 0 V 0. 

Finally A concludes the preprocessing stage by sending to B all and only the 
encryptions he computed, and proving interactively and in zero-knowledge that 
these encryptions has been correctly computed. Thus B will learn that (a;,/?;) 
are the encryptions of two complimentary bits, but he has no information if they 
are the encryptions of (1,0) or those of (0,1); moreover B will learn that also the 
encryptions 7's were properly computed, but he still doesn't get any information 
on the bits t,- and b{. 

Communication stage. Now A is able to prove to B non- interactively and in 
zero-knowledge that any n-bit 3-satisfiable formula C is indeed satisfiable. 

The written proof of A consists of an "ad hoc" association of the literals of C 
with the first pairs of encryptions (ai,Px), (a 2 , Namely, for each variable 
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m, A considers the pair (cvj, ^,). A associates the element of the pair which is the 
encryption of 1 to the literal, u,- or u,-, that is true under t and the remaining element 
of the pair to the other literal. Since each clause is formed of three literals, in this 
way A has associated to each clause, a triplet of encryptions. A finally looks for 
this triplet in the list of the triplets he gets from the preprocessing stage and shows 
that the associated encryption 7 is an encryption of 1, by opening it. 

Informally speaking this is zero- knowledge, since the only thing B will get is 
a zero-knowledge proof in the preprocessing stage, plus encryptions of bits. In 
particular the encryptions 7's, which A opens in the communication stage, are 
encryptions of 1, which must be certainly the case if the formula is satisfiable. 

To perform our protocol, the prover A can be a probabilistic polynomial-time 
machine that gets an NP proof as an auxiliary input. Thus, this proof system can 
be used in a cryptographic scenario. 

Let us proceed more formally. 

1 Introduction 

The notion of Non- Interactive Zero-Knowledge Proof-System has been introduced 
by [BIFeMi]. A Non-Interactive Zero- Knowledge Proof-System allows a prover to 
non-interactively and in zero-knowledge prove any number of theorems to a poly- 
bounded verifier, provided that the prover and the verifier share a random string. 
The prover, on input the common random string a, and the theorem T writes the 
proof in a letter. The verifier, trusting the randomness of a, is convinced that 
the theorem T is true just by reading the letter. This model is argued to be the 
minimal one supporting zero-knowledge proofs. [BIFeMi] and [DeMiPe] gave imple- 
mentations based on the difficulty of specific computational problems. Namely the 
[BIFeMi] implementation relies on the difficulty of distinguishing numbers product 
of two primes from those product of three primes. Whereas the [DeMiPe] imple- 
mentation is based on the weaker assumption of the difficulty of distinguishing a 
quadratic residue from a quadratic non residue. 

Non- Interactive Zero- Knowledge Proof Systems are particularly useful when the 
prover and the verifier cannot talk each other. Indeed, though interaction is a 
requirement that can be met, in practice it may not be readily available. For 
example this is the case if the prover will leave for a 10-year trip and the mail is 
the only way to communicate. 

In this paper we introduce the notion of Non-Interactive Zero-Knowledge Proof- 
System with Preprocessing. A Non-Interactive Zero-Knowledge Proof-System with 
Preprocessing consists of two stages: 

1. Preprocessing stage. A chooses an n-bit string v EV and proves interactively 
and in zero- know ledge to B that indeed v belongs to the language V . 

2. Communication stage. A chooses an NP theorem T of length not bigger than 
n c (for some fixed positive constant c), and sends the proof that indeed T is 
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true to B. B, believing that v G V, can check that the proof is valid without 
ever talking to A but gets no knowledge except the validity of the theorem. 

This proof is unidirectional (from A to B) and zero- knowledge {B does not 
get any additional knowledge of the theorem proved). 

A Non-Interactive Zero- Knowledge Proof- System with Preprocessing allows a 
prover to non-interactively and in zero-knowledge prove a theorem T to a poly- 
bounded verifier, provided that the prover and the verifier had the opportunity to 
meet beforehand. The prover on input the string v £ V and the theorem T writes 
the proof of T in a letter. The verifier, being convinced in the preprocessing stage 
that v € V, is also convinced that the theorem T is true, while receiving no other 
additional information, just by reading the letter. 

This model is not as general as that considered in [BIFeMi] and [DeMiPe]. The 
prover and the verifier must know in advance the length of the theorem that will be 
later non-interactively proved. Moreover the non-interactive proof needs a string 
randomly chosen in a particular language V, and not just a random string. This 
is somewhat more difficult to obtain, even though a preprocessing step can easily 
handle both cases. 

We give an implementation of Non-Interactive Zero-Knowledge Proof-Systems 
with Preprocessing based on the weakest possible assumption in Cryptography: the 
existence of a one-way encryption scheme. Hence making free the non-interactive 
proof model from the fortunes of a specifical algebraic problem. 

Thus, in this paper the generality and the minimality of [BIFeMi] and [DeMiPe] 
is traded in exchange of the relaxation of the underlying assumption. 

The proposed protocol can be used as a tool for cryptographic protocol design. 
It allows the squeezing, to an initial step, of all the interaction needed for zero- 
knowledge proofs in a multi-party protocol. It is indeed enough for a player to send 
the same single string to all the other players each time he needs to validate his 
assertion without compromising his secrets. 

The reminder of the paper consists of 3 sections. In Section 2, some preliminary 
facts are discussed. Section 3 presents our main results: first the model is formally 
defined and then a protocol is given. Finally in Section 4 some open problems are 
presented. 

2 Preliminaries 

Let us quickly recall the standard notation of [GoMiRi]. 

We emphasize the number of inputs received by an algorithm as follows. If 
algorithm A receives only one input we write if it receives two inputs we 

write "A(-, •)" and so on. 

If A(-) is a probabilistic algorithm, then for any input i, the notation A(x) refers 
to the probability space that assigns to the string a the probability that A, on input 
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x, outputs a. If S is a probability space, denote by Prs(e) the probability that S 
associates with the element e. 

If g(-) and h(-, ...,-) are probabilistic algorithms then g(h(-, ...,•)) is the prob- 
abilistic algorithm obtained by composing g and h (i.e. running g on h's output). 
For any inputs x, y, . . . the associated probability space is denoted by g(h(x, y, . . .)). 

If 5 is any probability space, then x <— 5 denotes the algorithm which assigns 
to x an element randomly selected according to S. If F is a finite set, then the 
notation x <— F denotes the algorithm which assigns to x an element chosen with 
uniform probability from F. In other word, when no confusion arises, we identify a 
finite set with the algorithm that randomly select a point in that set. 

The notation Pr(x <— S;y +— T; ...:p(x, y, ...)) denotes the probability that 
the predicate p(x, y, ...) will be true after the ordered execution of the algorithms 
x «- 5, y +- T, ... 

The notation {x <— S;y <— T; (x, y, ...)} denotes the probability space over 
{(x, y, ...)} generated by the ordered execution of the algorithms x <— S, y *— T, ... 

Let us recall the basic definitions of [GoMiRa]. We address the reader to the 
original paper for motivation, interpretation and justification of these definitions. 

Let U — {U(x)} be a family of random variables taking values in {0, 1}*, with 
the parameter x ranging in {0,1}*. U — {U(x)} is called poly-bounded family of 
random variables, if, for some constant e £ Af, all random variables U(x) G U assign 
positive probability only to strings whose length is exactly |x| e . 

Let C = {C x } be a poly-size family of Boolean circuits, that is, for some con- 
stants c, d > 0, all C x have one Boolean output and at most |x| c gates and Ix^ 
inputs. In the following, when we say that a random string, chosen according to 
U(x), where {U(x)} is a poly-bounded family of random variables, is given as input 
to C r , we assume that the length of the strings that are assigned positive probability 
by U(x) equals the number of boolean inputs of C x . 

Definition (Indistinguishability). Let L C {0,1}* be a ianguage. Two poly- 
bounded families of random variables U = {U(x)} and V = {V(x)} are indistin- 
guishable on L if for all poly-size families of circuits C = {C r }, all positive constants 
c and all sufficiently large x € L, 



Pr(a *- U(x) : C x {a) = 1) - Pr{a <- V(x) : C x (a) = 1) 



< M 



Definition (Approximability). Let L C {0,1}* be a ianguage. A family of 
random variables U — {U(x)} is approximate on L if there exists a Probabilistic 
Turing Machine M, running in expected polynomial time, such that the families 
{U(x)} and {M(x)} axe indistinguishable on L. 

The fundamental notions of security for probabilistic encryption scheme were 
introduced in [GoMi], see also [MiRaSl] for an extended discussion. However this 
probabilistic encryption scheme is a bit too powerful for our need. Indeed it is 
required that the encryption is easy and that also the decryption is easy provided 
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that an extra secret key is known. In our scenario we only need that the encryption 
is easy and the ciphertext can be unambiguously decoded. Indeed should someone 
encrypts a message, he should be able later to show the message and prove that 
the encryption was correctly computed, by only remembering his own computation. 
Should he forget this computation then it will be also difficult for him to compute the 
message. We call such a scheme, to be formally defined below, one-way encryption 
scheme. Such a scheme has been used in the well known zero-knowledge interactive 
proof system for 3COL of [GoMiWi] and, more recently, also in [BGGHKMR]. 

A one-way encryption scheme is a probabilistic polynomial time Turing machine 
E that, on input x and internal coin tosses r, outputs an encryption E(x,r), such 
that 

1. The cipheriext can be uniquely decoded. Whatever are the coin tosses r,s and 
the inputs x,y, then E(x,r) = E(y,s) implies x = y. 

2. There is no computational feasible way to distinguish the encryption of 0 from 
the encryption of 1. Let E n (x) be the probability space obtained by setting 
Pr(y) = 2~ n - | {r G {0, l} n : E(x, r) = y} |. Then, for any poly-size family of 
circuits C = {Cin}, all positive constants c and all sufficiently large n, 



Pr(a «- JS„(0) : C^a) = 1) - Pr(a <- E n (l) : CV(a) = 1) 



< n 



Using arguments similar to those of [GoMi], it is easy to show that the existence 
of the unapproximable predicate as defined in [BIMi] is equivalent to the existence 
of the one-way encryption scheme. Both the unapproximable predicate and the 
one-way encryption scheme exists if one makes the stronger assumption that the 
one-way permutation exists [Ya]. 

The one-way encryption scheme is an instrumental tool to commit a bit and then 
to decommit it. The commitment to a bit b using a security parameter n is done 
by choosing an n-bit random string s and sending E(b, s). For the decommitment 
of the bit, that is the proof to a polynomial bounded machine that E(b,s) is indeed 
an encryption of b, it suffices to exhibit s. 

In the following, we denote by E n (b) the set of all possible encryptions of b, 
with security parameter n, i.e. E n (b) = {e | 3r such that e = E(b,r) and \r\ = n}. 
Finally we denote by D n the inverse function of E n , that is D n {ct) = b if a. G E n (b). 

3 Non-Interactive Zero-Knowledge Proof- Systems 
with Preprocessing 

In this section first we formally define what we mean by Non-Interactive Zero- 
Knowledge Proof-System with Preprocessing and then we give an implementation 
of it based on the assumption that one-way encryption schemes exist. 
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To prove the existence of Non-Interactive Zero-Knowledge Proof-System with 
Preprocessing for all NP languages, it is enough to prove it for the NP-complete 
language 3SAT [GaJo]. For k 6 we define the language V k = {y G V\ \y\ = k}. 

3.1 The model 

In this section we formally define what we mean by Non-Interactive Zero-Knowledge 
Proof-System with Preprocessing. 

Definition. Let V be a language. (A,B), where A is a Probabihstic Turing- Ma- 
chine and B(-, •, •) is a deterministic algorithm running in time polynomial in the 
length of the first input, is a Non-Interactive Zero-Knowledge Proof-System with 
Preprocessing if a positive constant c exists such that 

1. (Completeness) Vx € 3SAT, Vu € V\ s \c, for ail positive constants d and all 
sufficiently large x, 

Pr{y *- A(x, v) : B(x, v, y) = l) > 1 - \x\~ d . 

2. (Soundness) Vx £ 3SAT , W £ V\ x f, for each Probabilistic Turing machine 
A', for all positive constants d and all sufficiently large x, 

Pr(y ^ A'{x,v) : B(x,v,y) = l) < Ix^. 

3. (Zero-Knowledge) The family of random variables R = {i?(x)}, where 

i?(x) = \y <- V M c- y <- A(x,v) : {v,y)], 
is approximable over 3SAT. 

Notice that in our definition we have not formalized the preprocessing stage. The 
preprocessing stage consists of an interactive zero-knowledge proof that a string 
v, randomly chosen in V, indeed belongs to V, while, in the above definition, the 
string ti 6 V is seen as an additional input available to both A and B. However, we 
can always think of this string v as fixed in the preprocessing stage. 

So, the proof goes as follows. In the preprocessing stage, A proves that v € 
V, where V is a particular language that will be instrumental for the later non- 
interactive zero-knowledge proof and will be thus called V the auxiliary language. 
Later, in the communication stage, A can non-interactively prove to B any theorem 
of size \v^ c , using the fact that string v €V. 

In this way we have squeezed out all the interaction needed at the beginning. 
Notice that this is not a trivial task since A does not know which theorem he is 
going to prove when he chooses the string v. 
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Notice also that A can choose his favorite v 6 V (he has infinite computing 
power), and so in the completeness and soundness requirements we must say "for 
all v £ V" instead of saying "for an overwhelming fraction oi v £ V" . 

The randomness of v £ V is a requirement needed only for the zero-knowledge. 
It does not affect the completeness and soundness of the proof system. 

Finally, notice that this model is not as general as the one proposed in [BIFeMi] 
and [DeMiPe]. In our model the size of the theorem that can be proved is determined 
by the length of the shared string v. In the [BIFeMi] and [DeMiPej's model the 
prover can prove any theorem of size polynomial in the length of the shared string. 
On the other hand in this model we still have to make some specific computational 
assumptions, while in our weaker model we only make the natural assumption that 
one way functions exist. Thus the auxiliary language V and the bound on the size 
of the theorem are the price we pay to relax the underlying assumption. 

3.2 Our protocol 

In this section we describe first informally and then formally our protocol for the 
Non-Interactive Zero- Knowledge Proof-System with Preprocessing. 

Our protocol is based on the following observation. Suppose we associate to each 
literal u an encryption of 1 if f(u) = T or an encryption of 0 if t(u) = F. In this 
way a triple of encryptions has been naturally associated to each clause cy. Thus to 
show that the clause c, is satisfiable it is enough to show that the associated triple 
of encryption contains at least an encryption of 1, since this correspond to a literal 
with a true value in Cj. 

The language V is designed to simplify all the future work of proving the needed 
relationships between these encryptions. To better understanding the language V it 
is useful to regard the string v £ V as "made" by two parts. The first part consists 
of 3n pairs (a,-,/?,-) that are the encryptions of two complementary bits 6,- and \. 
The second part is a table in which, given any three i/j £ E n (di), v 2 £ E n (d2), v$ £ 
E n (d 3 ), of the 6n encryptions oc\,a2,...,az ni f3\,...,0zn, considered in the first part, 
we obtain an encryption 7 of the bit d\ V d 2 V d 3 . 

Thus, given such a string v £ V the non-interactive proof of A consists of an "ad 
hoc" association of the literals of C with the encryptions contained in the first part 
of v £ V. Namely, for each variable u,-, A considers the pair (a,-, ft) in v £ V. A 
associates the element of the pair that is the encryption of 1 to the literal, or U{, 
that is true under t and the remaining element of the pair to the other literal. Since 
each clause Cj is formed of three literals, in this way A has associated to each clause, 
a tern of encryptions. A finally looks for this tern in the second part of v and shows 
that the associated 7 is an encryption of 1, by revealing the random bits used for 
its encryption. 

Let us now proceed more formally. We first define the language V we use, and 
then we describe our protocol. 
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3.2.1 The language V 

In this section we describe the auxiliary language V = {V n } n ^ that we use in our 
protocol. 

Let E be a one-way encryption scheme. 

A string v G V n is the concatenation of two substrings Vi ov 2 . 

1. Let a\, a 2 , . . . , a 3n be encryptions, computed using E, of 3n bits b x , 62, b 3n . 

The first substring v\, is formed by concatenating the a;, 1 < i < 3n, each 
one followed by an encryption ft of \ = 1 — 6<. 

That is = o . . . o Ui t 3 n , where u^,- = a, - o ft, ar t - £ E n (b{) and ft £ jE n (i>,) 
for 1 < i < 3n. 

2. For the second substring v 2 , consider the set 

S= |J {a h ,0 h } x {a„ft} x {a,-, ft} 

l<A<i<j<3n 

Notice that |5| = 0(n 3 ). 

Let zi, •••) z \s\ De ^ arbitrary but fixed ordering (e.g. the lexicographic 
one) of the elements of S. Then v 2 = v 2t i 0 • • • 0 U 2,|S|, where v 2 ,k = Zh°lh and 
f h G E n (D n (u lth ) V D n (v 2<h ) V Z>„(v 3 ,fc)) if *h = Oi,a, v 2 , h , v z , h ). 

Notice that V = {V n } n€ /f is an NP language. If you "guess" all the bits as well 
as the coin tosses used for the encryptions, then you can verify in time polynomial 
in |u| that indeed v G V. 

3.2.2 The implementation 

In this section we exhibit a Non-Interactive Zero-Knowledge Proof-System with 
Preprocessing. We use the language described in Section 3.2.1 as the auxiliary 
language V. 

Theorem 1. If one-way encryption schemes exist, then there exists a Non-Interactive 
Zero-Knowledge Proof-System (A, B) with Preprocessing. 

To prove the theorem we start by formally describing the protocol. 

A's protocol. 

When we say A "writes r", we mean that A appends r followed by a special 
symbol, such as #, to the string Proof that will be sent to B. 

Preprocessing stage. 

A randomly chooses a v in V. A sends v to B and proves interactively and in 
zero-knowledge to B that indeed v belongs to the language V. 
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Communication 3tage. 

Let u = ai o ft o a 2 o ft . . . o a 3n o ft„ o o 7j . . . o z |s , o 7 |s| 
Let C = {ci,...Cn} be a collection of clauses over the set of variables U = 
{ui, . . . , Ujt} and t : U — > {T, F} a truth assignment satisfying C. 

1. A sets Proof = empty string. 

2. A repeats step 2.1 for i = 1, . . . , k. 

2.1 If t(u f ) = T and D n (a { ) = 1 then A writes (a„ ft). 
If r(u.) = T and D„(o-) = 0 then A writes (ft,a f ). 
If t(u,) = F and -D„(a,) = 1 then A writes (ft,Q;)- 
If <(u,-) = F and -D„(o:,) = 0 then A writes (a t , ft). 

3. A repeats step 3.1 for i = 1, . . . n. 

3.1 Let 2 A be the tern in u 2 associated to c^. A looks for z h in t> 2 and shows 
that the associated jh is an encryption of 1, by revealing the random 
n-bit seed used for its computation. 

Now, we show that the protocol meets the Completeness and the Soundness 
requirements. 

Suppose that the formula C = {ci, . . . , c n } is satisfied by the truth assignment t. 
If A follows the specification of the protocol then the 7 associated to each formula 
will be certainly an encryption of 1. Therefore B always accepts. 

On the other hand, suppose that C is not satisfied by any truth assignment. 
Since each pair (a,-, ft) is formed by the encryption of two different bits, in any 
way A associates such a pair to the literal, there will be at least a 7 that is the 
encryption of 0. Therefore B always rejects C. 

Now we show that the protocol meets the Zero-Knowledge requirement. 
We exhibit a Probabilistic Turing Machine M, running in expected polynomial 
time that approximates the family of random variables R = {R(x)}, where 



R(x) = [v «- V[ x |c; y <- A{v,x) : (u,j/)} 



for a certain constant c. 

The basic idea is to make M to perform the same protocol as A, having in input 
a string v' 6 V, where V is a particular language defined in the following, instead 
of having a string in V. The language V is similar to V, with only one exception: 
the first part of each string of V(n) is formed of 6n encryptions of 1. 

On input the collection of clauses C, M first outputs a string v' G V. M, then 
randomly associates the strings a,-, ft to the literals for each variable u;, 

i = 1, . . . k. At this point M has associated to each clause a tern of values that are 
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encryptions of 1 and so also the associated 7 will be an encryption of 1. M simply 
shows the n random bits used to compute such a 7. 

M's output is different from a real proof only for what concerns the common 
string. In fact the second part of the string used by M is formed by the 3n encryp- 
tions of 1 while the one used by A is constituted by the encryption of n random 
bits and their complement. If E is a one-way encryption scheme then the two 
distributions are indistinguishable. 

In the following we formally describe M's program. 

1. M sets u=empty string. 

2. M repeats steps 2.1-2.2 for i = 1, . . . ,3n. 

2.1 M randomly chooses two n-bit strings s,-,s-. 

2.2 M appends (a i} #) = (.E(l,s,),£(l,.s<)) to the string v. 

3. M sets S = Ui<fc<i<><3n S h X Si x Sj where S; = {a h / = 1, . . . , 3n. 

4. M repeats steps 4.1-4.2 for each Zk = (a, ft, 8) G S. 

4.1 M chooses a random n-bit seed r/, and computes j h = E(l, r h ). 

4.2 M appends z^. o -y h to v. 

5. M repeats steps 5.1-5.2 for i = I,. . . ,k. 

5.1 M tosses a fair coin. 

5.2 If HEAD then M writes (<*,-,#) else M writes (ft.aj). 

6. Repeat step 6.1 for i = 1, . . . , n. 

6.1 Let Zft be the tern in 5 associated to c,. M writes rv 

Comment. In the protocol (A, 5), above described, there is no need for the prover 
to have infinite computing power. Indeed it is enough for him to be a probabilistic 
polynomial- time machine that gets an NP proof as an auxiliary input. Namely, 
in the case x 6 ZSAT and v E V, the prover needs only to known a satisfying 
assignment for x and the bits b{ along with the coin tosses used for the encryptions 
in the string v. 
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4 Open Problems 

Our results can be extended in two directions. 

The first extension concerns the length of the theorem that can be proved. 

In fact, in our model the length of the theorem that can be proved is determined 
by the length of the shared string. Rephrasing this in term of our example, suppose 
that, before A leaves, A and B agree on a re c -bit long string v E V, where c is the 
suitable constant. What happens if A finds the proof of a theorem of size, say, 2n? 
Certainly, A will not be able to prove this theorem to B in Zero-knowledge, using 
our protocol. 

One would like to have a protocol that allows to prove any polynomial number 
of theorems of length polynomial in the length of the shared string v. 

The second extension concerns the auxiliary language V. Namely, can we replace 
the string v € V with a random string ct? 
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Abstract 

We describe a model in which a computationally bounded verifier consults 
with a computationally unbounded oracle, in the presence of malicious faults 
on the communication lines. We require a fairness condition which in essence 
says that some of the oracle's messages arrive uncorrupted. We show that a 
deterministic polynomial time verifier can test membership in any language in 
P-space, but cannot test membership in languages not in P-space, even if he is 
allowed to toss random coins in private. We discuss the zero knowledge aspects 
of our model, and demonstrate zero knowledge tests of membership for any 
language in P-space. 

1 Introduction 

The original GMR [7] model of interactive proof systems (EPS) is based on a powerful 
prover P who wants to convince a polynomial verifier V that a certain assertion Q is 
true. The model considers two separate scenarios: P can be trustworthy (and then 
V should accept true assertions), or P can be a cheater (and then V should reject 
false assertions). By introducing interaction into the proof process, GMR hoped to 
achieve two goals: 

• To increase the class of provable assertions beyond NP. 

• To provide zero knowledge proofs. 

Recently, Ben-or, Goldwasser, Killian and Wigderson (BGKW [1]) have intro- 
duced a general model of multi-prover protocols, and studied a variant which makes 
it possible to provide perfect zero knowledge proofs, but does not seem to increase 
the power of the proof system. Motivated and inspired by their work, we consider 
in this paper a different variant which does extend the class of provable assertions. 

In our new Noisy Oracle model, a probabilistic polynomial time verifier V tries 
to decide whether an input assertion Q is true or false. He is aided by a trusted and 
infinitely powerful prover P, but their communication is disrupted by an adversary 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 284-296, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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A who can block or modify their messages. If A does not exist, V can just believe the 
one-bit advice provided by P. If A can totally block the communication, P cannot 
help V . In our model we consider the interesting case in which A is computationally 
unbounded but an imperfect jammer in the sense that a non-negligible fraction 
of the messages exchanged by P and V reach their destination unaltered, in spite 
of the malicious interference. The problem from V's point of view is that he does 
not know which messages are authentic, and the only assumption we allow him to 
make is that occasionally he gets good advice. In particular, if he asks the same 
question sufficiently many times, at least one of the answers will be correct with 
overwhelming probability, but he is still left with the problem of deciding which one 
it is. 

An alternative model which has essentially the same properties as the Noisy 
Oracle model is the following Multi-Oracle model: V interacts with several infinitely 
powerful oracles Pi,...,P„, and has to decide whether the common input Q is true 
or false. To make the model non-trivial, we assume that at least one of the oracles 
is trustworthy and at least one of the oracles is a cheater, but V does not know who 
is who. The powerful cheaters can break cryptosystems, forge signatures, and test 
all the possible outcomes of their actions, while the limited verifier has to rely on 
the (unknown) trustworthy prover to refute incorrect claims. 

As a motivating example to the Multi-Oracle model, consider a court of law in 
which two lawyers (oracles) present their conflicting views of the same case in front 
of a judge (verifier) . Both lawyers have spent much time learning all details of the 
case. On the other hand, the judge does not have much time to spend. He must use 
the lawyer's knowledge in order to extract the facts correctly in a short time, and 
then reach a decision based on the facts he knows. One of the lawyers wants the 
judge to learn the facts correctly, because then his client is bound to win the case. 
The other lawyer naturally wants to fool the judge, as otherwise his client will lose 
the case. The judge does not know which is the truthful lawyer and which is the 
cheating lawyer. Using our Multi-Oracle model we characterize the facts that the 
judge can extract efficiently despite the presence of a cheating lawyer. 

In the Multi-Oracle presentation of our model, we restrict the cheating oracles 
by limiting their numbers. In this the model resembles models for distributed 
computing in the presence of faults (and in particular Byzantine agreement HM 
[9]). But there is a great difference: we are interested in proving mathematical 
facts, which the verifier could not prove by himself because of limited computing 
power. In the Byzantine agreement model, the emphasis is on reaching a consensus 
about the environment (e. g. the value of a global coin), rather than testing the 
correctness of mathematical assertions. 

In section 2 we present our model. In section 3 we consider verifiers bounded to 
polynomial time. Our main result is that in the main variant of the Noisy Oracle 
model, the testable assertions are exactly those which lie in the complexity class 
P-space. This is in contrast to what is believed to be the case with IPS, where 
proving even co-NP-complete assertions will lead to the collapse of the polynomial 
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hierarchy (see GS [8]). In section 4 we define the zero-knowledge aspects of the 
model, and demonstrate zero-knowledge protocols for all statements in P-space. 
Section 5 suggests directions for further research, and in particular discusses some 
recent results on multi oracle protocols with space bounded verifiers. 

2 The Model 

A computationally bounded verifier V interacts with a set of oracles, where the 
size of the set (denoted by n) is fixed, depending on the length of the input, t 
of the oracles are potential cheaters, where | < t < n. (The case where t < j 
is uninteresting, as V can take a majority vote to determine the correct answer). 
In the multi-oracle model V receives a set of up to n answers, t of which may be 
incorrect, but at least one answer must be correct. In the noisy oracle model 
V receives one answer, where the probability of it being correct is ^jp. Thus in 
the noisy oracle model, we can only demand that the verifier be convinced with 
overwhelming probability, as V is not guaranteed to ever receive a correct answer. 

In the multi oracle model we may consider different network configurations. If 
we have a star shaped (or similar) network, with the verifier at the center and the 
oracles at the leaves, then the oracles become addressable. The verifier can ask each 
oracle a different question, and can ignore certain oracles once it has determined 
that they are cheaters. On a broadcast network, the oracles are anonymous, and the 
verifier cannot associate between messages and their senders. In the configuration of 
the network we include the ability or inability of one oracle to perform interactions 
with other oracles, or to perform eavesdropping on lines not his own. 

An interactive test is a protocol in which the verifier manages to test an assertion, 
even if the adversary (cheaters) displays his worst case behavior. The assertion 
is one concerned with the common input, such as: "the following instance x is a 
legitimate member of language L" . In our model, a language L is said to be testable 
if the following condition holds: 

For every input x, and for any adversary A, 

if x € L then the verifier outputs "x € V , 

and if x g L the verifier outputs "x V . 

(In some cases we should add — "with overwhelming probability"). 

3 Polynomial Time Verifiers 

First we demonstrate a protocol in which the polynomial time verifier tests an NP- 
complete assertion, n is assumed to be equal to the length of the input. Note that 
in this section we do not care about the zero knowledge aspects of the protocols. 
NP-protocol: 

• V sends the problem instance and asks for a witness. 
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• P (a truthful prover) sends a correct witness if such exists, and null otherwise. 
C (cheater) sends any message. 

• V tests if at least one of the messages was a valid witness to the statement. 
If so, he concludes that the instance was a yes instance. If not, he concludes 
it was a no instance. 

The correctness of this protocol follows from the fact that t < n. V knows that 
at least one answer is correct, so if he receives no witness, he can conclude that no 
witness exists. Note that the same protocol is applicable to co-NP statements, if P 
sends a counter witness whenever it exists. 

Next we demonstrate a protocol for a P-space complete problem. In order 
to simplify the initial demonstration, we start with a simple version of the model: 
n = 2, t = 1, addressable model. That is: we have a star configuration with a verifier 
interacting separately with two oracles. One of the oracles may be a cheater, but the 
verifier does not know which one. We shall demonstrate the protocol on any P-space 
complete game (as can be found in GJ [5]). In such a game we ask whether the 
first player to move ("white"), or the other player ("black") has a winning strategy. 
The players alternate in the moves they make, and the game is guaranteed to end 
after a polynomial number of moves. 

Simple P-space protocol: 

1. V sends the instance (initial position) of the game to the two oracles, and 
asks them who wins. If their answers agree V stops. 

2. V sends the current position to the oracle who claims that white wins (denote 
him by W) and asks for a winning move for white. 

3. If W does not reply with a move, V concludes that he was cheating, and so 
black is the one who wins. So W replies with a move w for white. 

4. V computes the new position generated by applying w to the previous position, 
sends it to B (the oracle who claims that black wins), and asks for a winning 
move for black. 

5. If B does not reply with a move, V concludes that white wins. So B replies 
with b. V applies b to the current position and returns to step 2. 

After not more than a polynomial number of moves, either one of the two oracles 
is caught not following the protocol, or the game reaches its natural end. In either 
case V concludes correctly who wins in the initial position, as he knows that the 
trustful oracle must have chosen the wining side, and must have made the optimal 
moves. 

The above protocol may easily be generalized to a star network with one prover 
and n — 1 cheaters. The verifier asks each oracle for the outcome of the game 
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instance. If all agree, there is no problem. If V receives conflicting answers, he 
chooses two oracles who gave conflicting answers, and lets them play one against 
the other. The loser of the game is marked as a cheating oracle, and is discarded 
from the network. Now V remains with a network of n — 1 oracles, at least one of 
which is truthful. By induction on the size of the network, we see that V determines 
the correct outcome of the game. 

The above protocols cannot be directly applied to the broadcast model or to the 
noisy oracle model, where V receives unordered sets of answers. The problem is 
that V does not know which answer corresponds to which oracle. For each position, 
half the cheaters can actually claim the correct answer, but then try to discredit 
it with bad moves. If V tries to discard some of the moves, he might discard the 
alternative suggested by the real prover. If V does not discard moves, this results in 
an exponential number of variations of the ongoing game that V has to keep track 
of. Nevertheless, a good protocol can be constructed. 

THEOREM 1: Let n be polynomial in the length of the input, with t < n. 
Any statement in P-space can be tested even in the broadcast model (where V 
receives unordered sets of answers) . 

We shall introduce terminology and a few short lemmas simplifying the proof of 
the above theorem. 

Let G be a two player (W and B) game, in which the player to move looses if he 
has no legal move. The outcome of a position of G is W (B respectively) if W (B) 
has a winning strategy. An n-hyper-position HP of G is a &i < n by k 2 < n matrix 
in which each entry is a position in G, and in all positions the same player is to 
move. A hyper-move is made by choosing a column in HP, transposing it to a row, 
and for each entry in the row — performing a legal move of G. An HP-transposition 
is constructed by considering k 3 < n H-moves (from now on, H stands for hyper) 
as rows of a new .ff-position HP*. Note that if FT is about to move in the entries 
of HP then B is about to move in the entries of HP', and vice versa. A n-hyper- 
game is played by n hyper-players. For each iT-position each i?-player may choose 
to make one H-move, resulting in an /TP-transposition. The if -game ends with 
one of the two outcomes W or B in one of the two ways: 

1. Agreement: All n JT-players choose to make an i3-move in the same im- 
position. The outcome of the if-game is W if W has the move in the entries 
of HP, and B otherwise. 

2. Resignation: No player makes an ff-move. The outcome of the if-game is W 
if B has the move in the entries of HP, and B otherwise. 

Note that a 2-17-game can be viewed as just an ordinary two player game. 

HP is row-dominated [column-dominated respectively) if it has a row (column) 
in which all entries are positions of G in which the previous (next) player wins. Note 
that HP cannot be both row-dominated and column-dominated simultaneously. 

Lemma: If HP is column-dominated then there exists an H-move such that 
HP' is row-dominated. 
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Proof: Pick the dominating column in HP. In all its entries the next player 
wins. For each entry perform the winning moves in G and transpose the column. 
This is the desired ff-move. QED. 

An H-move as described above shall be called optimal. 

Lemma: If HP contains a dominating row then HP* contains a dominating 
column. 

Proof: Assume row j is dominating HP. Column j will necessarily dominate 
HP*. QED. 

An optimal if -player makes an optimal if -move whenever one exists, and no H- 
move otherwise. 

Lemma: If HP is dominated, and if at least one of the if -players is optimal, 
then if the if-game ends, it ends with a outcome equal to the outcome of any of 
the positions in the entries of the row/column dominating HP. 

Proof: The existence of the optimal ff-player ensures that row/column domina- 
tion will alternate in if P-transpositions, that resignation will not occur in column- 
dominated if-positions, and that- agreement will not occur in row-dominated Im- 
positions. So the if-game may not end with a outcome different than stated in the 
lemma. QED. 

Now we return to the proof of theorem 1. 

Proof (theorem 1): It is sufficient to consider any game G complete in P- 
space, because reductions into P-space complete problems can be done in polynomial 
time. V can monitor an n- if-game based on G, where the oracles act as if -players: 

1. The initial HP consists of only one entry: the initial position of G. This 
implies that the initial HP is dominated. 

2. V sends the current HP as a challenge to all oracles. 

3. V receives a set of if -moves, at most one from each oracle. 

4. V constructs HP 1 from the legal if -moves, makes it the current HP and 
returns to step 2 (unless the if-game ended). 

The truthful prover plays the role of the optimal ff-player. By the above lemmas 
the outcome of the if -game is identical to the outcome of G. The size of each n-HP 
and the number of ifP-transpositions are bounded by a polynomial in the length 
of the input. So V can perform the protocol in polynomial time. QED. 

Corollary: Any assertion in P-space can be tested with overwhelming proba- 
bility in a system where the probability of a correct response is non-negligible. (The 
Noisy Oracle model). 

Proof: Let n be the length of the input, let p be a polynomial, and let 
be the probability of a correct response. Then by repeating each question n • p(n) 
times V receives a set of answers which with overwhelming probability includes at 
least one correct answer. Because the whole protocol is limited to a polynomial 
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number of steps, the probability that each of the steps contains at least one correct 
answer remains overwhelming. Thus the verifier can transform his original noisy- 
oracle setting to a new multi-oracle setting, but with modified parameters: n • p(n) 
oracles and one true prover. The proof follows, as V monitors an n • p(n)-£T-game. 
QED. 

We have seen that V can test any P-space assertion even in the most difficult 
scenario — the noisy oracle model with low probability of correct answers, and no 
coin tossing allowed. We shall now show that even in a more favorable scenario, 
the multi-oracle broadcast model with only one cheating oracle and with a secret 
source of randomness, V cannot test assertions not in P-space. 

THEOREM 2: In a broadcast network, if in every round the adversary 
sees the message of the prover before deciding on his own message, a probabilistic 
polynomial time verifier cannot test assertions not in P-space. 

Proof (sketch): Suppose a language L is testable in the broadcast model. 
We demonstrate a P-space algorithm for testing whether an instance x of length n 
belongs to L. V is assumed to truthfully follow a certain algorithm, and to output 
either "x € L" or "i ^ L" after a number of steps bounded by some polynomial 
p(n). This implies bounds of p(n) on the number of coin tosses V makes, on the 
number of messages he expects to receive and on the maximal message length. We 
construct a game tree of depth 3p(n), composed of three types of nodes: Oi, 0 2) 
V. The edges leading out of nodes of O x (0 2 , V respectively) correspond to all 
possible messages (whether they make sense or not) of oracles trying to prove i£l 
(oracles trying to prove x L, verifier respectively). A string S is said to agree 
with the path from the root to a leaf, if V's algorithm, given S on his random tape 
and assuming Oi and 0 2 send the messages implied by their edges along the path, 
would indeed cause V to send the messages implied by his edges. The value R of a 
leaf is the number of length-p(n) random strings which agree with the corresponding 
path, and which cause V to output "x € V . The value of an inner node of the 
tree is defined recursively: An Oi-node maximizes over its sons (nodes of 0 2 ). An 
0 2 -node minimizes over its sons (nodes of V). A V-node sums over its sons (nodes 
of Oi). We shall prove that the value of the root is greater than 2 P ^~ 1 iff x 6 L. 

Assume x € L. We want to show that this implies R > 2 p (")~ 1 . Consider an 
adversary who takes the role of 0 2 in the game tree constructed, and chooses his 
messages optimally so as to minimize R. Because we assume that L is testable, 
there exists a strategy for the real prover which causes V to output "x £ IT with 
overwhelming probability. In particular, the optimal strategy of taking the role of 
Oi and choosing messages so as to maximize R must work. Note that there exists 
no better strategy, because we assumed the adversary may choose his messages in 
each round after viewing the prover's messages. This optimal strategy convinces V 
with probability and so R > 2 p ( n)_1 . 

Assume x £ L. We want to show that this implies R < 2 p ( n ) _1 . Consider an 
adversary who takes the role of 0\ in the game tree constructed, and chooses his 
messages optimally so as to maximize R. Because we assume that L is testable, 
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there exists a strategy for the real prover which causes V to output "x £ V with 
overwhelming probability. In particular, the better than optimal strategy of taking 
the role of 0% and choosing messages so as to minimize R must work. This strategy 
is better than optimal because the prover chooses his messages after viewing the 
adversary's messages. This better than optimal strategy convinces V with proba- 
bility 2^j£, and so R < 2"^~ 1 . 

Finally, the value of the root can be computed by a Depth First Search traversal 
algorithm in polynomial space. This is a consequence of the simplicity we maintain 
in the construction of the game tree. We do not try to consider only "sensible" 
messages of the oracles, as a P-space algorithm cannot judge what messages are 
considered sensible by computationally unbounded and possibly cheating oracles. 
Furthermore, the edges leading out of V nodes are not restricted only to those 
corresponding to messages V really sends, as this will imply extensive bookkeeping. 
The only information our algorithm needs to save is both a message number and 
an iZ-counter for each node along the current path considered in the tree, and this 
requires 0(p 2 (n)) space. QED. 

The assumption that the adversary sees the prover's message before deciding on 
his own was crucial in the above proof. In particular, if the situation is known to 
be reversed, the verifier can correctly test any assertion, as the prover just sends a 
message whose exclusive-or with the adversary's messages gives the correct answer. 
In addressable models, we assume no oracle knows which messages were sent by 
other oracles, and so again the proof of theorem 2 does not hold. A major open 
question is whether addressable models allow probabilistic polynomial time verifiers 
to test membership in languages not known to be in P-space. 

4 Knowledge complexity 

GMR introduced the notion of knowledge complexity of a language. We extend 
their definitions so as to apply to our model with a probabilistic polynomial time 
verifier. 

One may view the interaction between the verifier and the noisy oracle as an 
interaction between two parties, where one of the parties wants to test the value of 
a predicate through the other party. The adversary (noise) models possible trouble. 
Allowing for this possibility, the oracle agrees to help the verifier filter out incor- 
rect answers, by demonstrating their incorrectness. In zero-knowledge protocols the 
oracle does not agree to allow a cheating verifier's claim of alleged imperfect com- 
munication to cause the oracle to reveal additional information. For example, the 
oracle may not agree to give the verifier specific witnesses which demonstrate the 
correctness of the claims made by the oracle, or which demonstrate the incorrect- 
ness of claims made by the adversary. We model the above setting by stating that 
there is no adversary along the communication lines. A cheating verifier interacts 
with a cautious oracle, and claims that he receives conflicting messages. The cor- 
responding definition for the multi oracle model allows polynomial time cheating 
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verifier V* to manage the behavior of the cheating oracles as best suits him. A pro- 
tocol is in zero knowledge if V* can not increase his knowledge beyond the one bit 
he receives anyway (the truth value) . Note that if we do not limit the cheaters to 
polynomial time, nothing prevents them from revealing information to the verifier. 

As an example motivating the zero knowledge concept, we return to our two 
lawyers making their claims in front of the judge. The defending lawyer claims that 
the defendant has a perfect alibi for the night of the murder, while the prosecution 
claims the opposite. The defense is in a delicate position because the alibi is rather 
embarassing: the defendant has spent the night of the murder with the judge's 
wife! How can the defense convince the judge that the defendant is not guilty (of 
murder) , without revealing the actual alibi? The answer is simple — do it in zero 
knowledge. 

We assume the reader is familiar with the definitions of zero-knowledge. We just 
sketch our definition. 

Definition: In the noisy oracle model, a protocol is said to be zero knowledge 
if the following condition holds: There exists a probabilistic polynomial time algo- 
rithm M (which may run V* as a subroutine), where M is given the truth value of 
the assertion involved, such that for any non-uniform polynomial time algorithm 
V* which manages the behavior of the verifier and of the cheaters, M's output is 
indistinguishable from V*'s view of the communication with the real prover. 

We shall consider the model in which n is equal to the length of the input, 
t — n — 1 and the oracles are not addressable. The adversary A manages the 
behavior of all the cheaters. In proving that a protocol is in zero-knowledge, V* 
manages the behavior of V and of A, but is limited to polynomial time. P denotes 
the truthful prover. 

The trivial protocol for NP languages, (sending a witness whenever one exists) , 
reveals no information in the case where x £ L (co-NP statements), as P sends 
no message, and M has nothing to simulate. But the protocol as a whole is not 
zero knowledge, as a polynomial time simulator M is not guaranteed to produce 
witnesses for NP statements in cases where i € L. So in order to construct zero 
knowledge protocols in our model, we shall apply techniques used in IPS. We shall 
demonstrate that care should be taken when doing so. 

Following the footsteps of GMW [6], we assume that safe encryption functions 
exist. We use a protocol proposed by Manuel Blum, and sketch its basic structure 
in order to make this paper self contained: 

1. V asks for an encrypted random permutation on the graph G. 

2. P sends the encryption, and A adds whatever messages he wants. 

3. For each message he receives, V requests either it's full decryption and the 
permutation used, or partial decryption revealing a Hamiltonian cycle. 

4. P sends the requested information, and A adds whatever messages he wants. 
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5. V checks that at least in one of the received messages the protocol was followed 
correctly. 

In order to diminish the chance of cheating, this basic structure may be iterated 
n times (serial version) . Alternatively V may ask at step 1 for n encrypted random 
permutations of G (parallel version). We shall demonstrate that both approaches 
are not recommended. 

1. Serial version: 

Here the adversary has a good chance of cheating in a broadcast network. 
Suppose G does not have a Hamiltonian cycle. The adversary may convince 
V to the contrary: when asked for an encrypted permutation of the graph, 
the adversary sends ^ such encryptions, j encryptions of Hamiltonian cycles 
and j null answers. (We assume the prover returns a null answer as well). 
When V asks for decryptions, A has 0.5 chance to succeed for each message. 
Because there are 0(n) messages, he has exponentially high probability of 
cheating at least once. Even if the protocol is iterated a polynomial number 
of times, the adversary has high probability of succeeding in all rounds. In the 
broadcast model, V does not know if there existed one oracle which succeeded 
in all iterations, in which case V should accept, or whether each oracle failed 
at least once, in which case V should reject. 

2. Parallel version: 

Here the adversary has a negligible chance of cheating, but now the simulator 
(M) has an impossible task: he himself needs exponential time in order to 
simulate a run (assuming he does not know any Hamiltonian cycle) . 

Since both the serial version and the parallel version are incorrect, we shall use 
a combined version. V asks for log n encryptions of different random permutations 
of G, all in parallel. This basic protocol is iterated n times. In each iteration, 
the adversary has i probability of cheating with any single message, or constant 
probability of cheating with at least one message. So A has negligible chance of 
cheating at least once in every iteration of the whole protocol. On the other hand, 
M can simulate each iteration in 0(n) trials, and the whole protocol in 0(ra 2 ) steps. 

The zero knowledge protocol presented above suits Co-NP statements as well. 
If each iteration contains at least one good message, the verifier concludes that 
there exists a witness. Otherwise, he concludes that no witness exists. This is 
true of protocols in our model in general: they either demonstrate that an assertion 
is correct, or that it is not correct. In no case does the verifier remain in state of 
doubt. 

Finally, we consider the P-space complete game discussed in Theorem 1. The 
IT-game constructed in the proof of this theorem can be played even if the entries 
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to the ff-positions axe encrypted. The powerful provers play by breaking the corre- 
sponding cryptosystems, choosing an i?-move and encrypting it. Polynomial time 
V has the task of blindly constructing encrypted impositions from the encrypted 
H -moves he receives. When the encrypted -ff-game ends (it must end in a poly- 
nomial number of rounds) , the verifier tests in zero knowledge a statement in NP 
— that the decryption of the whole history of the 5-game would give the desired 
outcome. 

Theorem 3: Under the assumption that encryption functions exist, any state- 
ment in P-space can be tested in zero-knowledge (in all models). 
A proof can be constructed from the discussion above. 

The above theorem can be extended to any protocol in which all V does is 
shift messages back and forth. For all such protocols we can easily construct zero- 
knowledge versions. On the other hand, in protocols in which V takes actions which 
depend upon the messages he receives and upon his coin tosses, the above technique 
does not give a zero-knowledge protocol, since V does not know which action to 
take if the messages he receives are encrypted. 

5 Further Research 

In this paper we presented a new model, which has many variants: Addressable 
versus broadcast communication, time bounded versus space bounded verifiers, etc. 
There are many open questions, of which we want to point out one in particular: Is 
there any language not known to be in P-space which is testable by a probabilistic 
polynomial time verifier? As can be derived from theorem 2, the best model for 
looking for such a language is the addressable model with private coins. 

It may be interesting to mix our model with the multi-oracle model of BGKW 
[l]. We may assume that at least two oracles are trustworthy, that oracles cannot 
communicate among themselves, and that the good oracles share a read only com- 
mon random string. The results of BGKW transform to this model, giving perfect 
zero knowledge proofs for every language in NP. Furthermore, this automatically 
gives perfect zero knowledge proofs of all languages in co-NP, as the model is closed 
under complement. Can these results be pushed further up in the polynomial hier- 
archy? 

A different line of research is to study the structure of our models. In what 
models are public coins as powerful as private coins? In what ways does the number 
of rounds of a protocol correspond to the complexity level of the tested language in 
the polynomial hierarchy? 

Interactive protocols with space bounded verifiers received much attention re- 
cently (see Condon and Ladner [2], Dwork and Stockmeyer [3], Kilian [10] and oth- 
ers). The fact that if some information is hidden from the players, the outcome of 
very complex games can be tested in very little space, was demonstrated by Reif 
[12] and by Peterson and Reif [ll]. In a paper now in preperation (FS [4]), the no- 
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tion of probabilistic space bounded verifiers in addressable multi oracle systems is 
defined. The following surprising results are proved: 

Theorem 4 (FS [4]): In our multi oracle model, a log-space verifier can test 
any P-space assertion in polynomial time. 

Theorem 5 (FS [4]): In our multi oracle model, the set of elementary recursive 
languages (that is, languages recognized by a Turing machine in time 2 " , with a 
fixed number of exponentiations) is strictly contained in the set of languages testable 
by log-space verifiers. 

Theorem 6 (FS [4]): In the multi prover model of BGKW [1], the set of 
elementary recursive languages is strictly contained in the set of languages testable 
by log-space verifiers. Furthermore, if protocols are not requested to end with 
probability 1, constant space verifiers can recognize any partial recursive language. 
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Abstract: We consider the efficient generation of solved instances of computational prob- 
lems. In particular, we consider invulnerable generators. Let S be a subset of {0, 1} * and M 
be a Turing Machine that accepts S; an accepting computation w of M on input x is called 
a "witness" that x £ S. Informally, a program is an a-invulnerable generator if, on input 
l n , it produces instance-witness pairs (x, w), with |x| = n, according to a distribution under 
which any polynomial-time adversary who is given x fails to find a witness that i€S, with 
probability at least a, for infinitely many lengths n. 

The question of which sets have invulnerable generators is intrinsically appealing theo- 
retically, and the results can be applied to the generation of test data for heuristic algorithms 
and to the theory of zero-knowledge proof systems. The existence of invulnerable generators 
is closely related to the existence of cryptographically secure one-way functions. We prove 
three theorems about invtdnerabihty. The first addresses the question of which sets in NP 
have invulnerable generators, if indeed any NP sets do. The second addresses the question 
of how invulnerable these generators are. 

Theorem (Completeness): If any set in NP has an a-invulnerable generator, then SAT 
has one. 

Theorem (Amplification): If 5 € NP has a /?-invulnerable generator, for some constant 
/3 € (0,1), then S has an a-invulnerable generator, for every constant a 6 (0, 1). 
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Our third theorem on invulnerability shows that one cannot, using techniques that rela- 
tivize, resolve the question of whether the assumption that P ^ NP alone suffices to prove 
the existence of invulnerable generators. Clearly there are relativized worlds in which invul- 
nerable generators exist; in all of these worlds, P ^ NP. The more subtle question, which 
we resolve in our third theorem, is whether there are also relativized worlds in which P ^ 
NP and invulnerable generators do not exist. 

Theorem (Relativization): There is an oracle relative to which P ^ NP but there are 
no invulnerable generators. 

1 Introduction 

Sanchis and Fulk have studied the complexity of constructing test instances of hard prob- 
lems, and the connections between such construction and the structure of complexity classes 
[20,21]. In this paper, we consider the efficient generation of solved instances of computa- 
tional problems. For example, if S = {x: 3w.p(x, w)} is a set in NP, we may wish to generate 
instance- witness pairs {x, w) according to a specified distribution. The relationship between 
the complexity of generating pairs (x, w) and the complexity of finding w given x is intrinsi- 
cally interesting theoretically, and it is also important to the testing of heuristic algorithms 
for hard problems and the proposed applications of zero-knowledge proof systems. 

Specifically, we ask is whether it is possible to generate what we call an invulnerable 
distribution of instance-witness pairs. For example, is it possible to generate pairs (/, a) , 
where / is a boolean formula and a is a satisfying assignment, give the secret a to one 
user A, publish the formula /, and remain reasonably confident that a polynomial-time 
adversary would be unable to find a satisfying assignment a ' for / and thus to impersonate 
A? Feige, Fiat, and Shamir proposed this use of "zero-knowledge proofs of identity" as a 
security mechanism; the specific scheme they suggest is based on the Quadratic Residuosity 
Problem (QRP, [6]). Zero-knowledge proofs of identity may still be useful even if the QRP 
turns out to be easier than is widely assumed; furthermore, even if the QRP is hard, it may 
be possible to base a scheme on another problem and achieve more security. Thus, it is 
important to have a complexity-theoretic framework in which to consider whether a scheme 
for generating instance- witness pairs produces a secure distribution. 

When Goldwasser, Micali, and RackofF first introduced zero-knowledge proof systems, 
they postulated an all-powerful prover ([10]). Since then, they and others (e.g., [3], [5]) have 
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considered a model in which prover and verifier have the same computational resources, and 
the prover's only advantage is that he happens to know the witness w for a particular instance 
x of the hard problem at hand, perhaps because he constructed x and w simultaneously. 
This model, together with the proof that all sets in NP have zero-knowledge proof systems 
([4], [11]), forms the basis for the "compilation" of multi-party protocols into "validated" 
protocols ([7], [11]). Thus, it is important to realize that the model is meaningful only if 
there is a way for an efficient program to generate harder instances than the verifier can 
solve. 

Many NP-Complete sets have obvious, simple generation schemes. For example, Hamil- 
tonian graphs on n vertices can be generated by choosing a random circuit and then adding 
each other possible edge independently with probability 1 /2. The probability of generating a 
particular graph is proportional to the number of Hamiltonian circuits it has. However, the 
following examples show that some natural methods of generating solved instances are not 
secure. The first method succumbs to a very simple algorithm; the second can be cracked 
by a sophisticated technique. 

Example: 3SAT. A 3SAT instance is a set of variables U = {ui,u 2 , . . . ,u„} and a set of 
clauses C — {ci, C2, . . . , c m }, where each clause consists of three literals. The question is 
whether there exists a truth assignment that satisfies C. (See [8] for definitions.) 

A "natural" way to generate solved 3SAT instances is as follows. Choose a truth as- 
signment t uniformly from the 2" possibilities. For each i between 1 and m, choose three 
distinct variables uniformly at random; of the eight sets of literals that correspond to these 
variables, seven are true under t. Choose clause c,- from those seven, uniformly at random. 
This scheme produces each set C of m clauses satisfied by t with equal probability. 

A polynomial-time adversary can reconstruct t with high probability, if the number of 
clauses m is large enough. The basic observation is that if t(u ;) = TRUE then 

££^4=4 for every, and;. 

Therefore, if m > knhin for a suitable constant k, then with probability 1 — o(l) for every 
i simultaneously, the literal u t - appears in C more often than the literal ft"; if and only if 
t(u,-) = TRUE. 

One can try to improve this generation scheme by choosing the literals in each clause 
so that at least one is FALSE and at least one is TRUE. Then the expected number of 
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occurences of ui is equal to the expected number of occurences of tt;, for all i. However, the 
improved scheme can be cracked easily if m > kn 2 Inn by observing statistics about pairs 
of variables. | 

Example: Subset Sum. A Subset Sum instance consists of a finite set A = {<2i, 02, ■ ■ ■ , <z n } 
of positive integers and a positive integer M. The question is whether there exists a set A' C 
A that has sum equal to M. The difficulty of the Subset Sum problem is the justification 
of knapsack-type public key cryptosystems. 

One can generate solved Subset Sum instances as follows. Choose a vector e = 
(ei,...,e n ) of zeroes and ones, uniformly at random. Fix a positive integer B. Choose 
each a,- € A uniformly at random from {1, 2, . . . , B}. Let M = Y.\<i<n a < e i- 

This generation scheme can be cracked with an algorithm due to Lagarias and Odlyzko 
([16]). If B is sufficiently large, then every instance is almost certainly solvable by their 
ingenious application of the LLL basis-reduction algorithm. I 

In Section 3 below, we define precisely what it means for a generation scheme to be 
invulnerable. We then prove a Completeness Theorem that states that, if any set in NP 
has an invulnerable generator, SAT has one. In particular, under the Quadratic Residuosity 
Assumption, the Discrete Logarithm Assumption, or the Factoring Assumption, one can 
generate a hard distribution of SAT. 1 This is not surprising. What is more interesting is 
that, even if all of these assumptions turn out to be false, one can still generate a hard 
distribution of SAT, provided one can generate a hard distribution of anything in NP. Our 
construction of an invulnerable generator for SAT incorporates whatever invulnerability is 
present in any possible generator for an NP set and does not assume it knows where the 
invulnerability comes from (as it would be assuming if it built hard instances by multiplying 
distinct primes, as in [6], etc.). Section 3 also contains an Amplification Theorem, which 
shows how to enhance the invulnerability of any generable distribution, and a Relativization 
Theorem — the existence of invulnerable generators clearly implies that P ^ NP, but the 
converse cannot be proven by techniques that relativize. 

In Section 4, we discuss briefly the general question of which sets can be generated 

Various forms of these assumptions are ubiquitous in the cryptographic literature (see, e.g., [1], [2], [9], 
[23]), and we don't need precise statements of them for this informal discussion. For our purposes, it suffices 
to note that it is possible to generate instances of these number-theoretic problems in randomized polynomial 
time and that it is widely assumed that, for each of the three problems, for any constant fraction, each 
polynomial-time algorithm fails to solve that constant fraction of the instances of length n, for all sufficiently 
large n. 
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according to which distributions, consider several related works, and propose directions for 
future research. Section 2 contains terminology and notation that is used extensively in the 
rest of the paper. We have deferred full proofs until the final version of the paper in order 
to save space; whenever possible, we give sketches that convey some of the essential points. 

2 Terminology, Notation, and Conventions 

We call a program that flips coins and terminates in worst-case polynomial time on all 
inputs a randomized polynomial-time program. Let {M;} denote a standard enumeration 
of the randomized polynomial-time programs. Let {Nj} denote a standard enumeration of 
polynomial-time nondeterministic programs; thus, each NP set is recognized by at least one 
program in our enumeration. We use L(Nj) to denote the set (or language) recognized by 
N r 

Let N be a nondeterministic polynomial-time program and 5 be L(N). We call each 
accepting path of N on input x a witness that the instance x is in S. We assume without 
loss of generality that, for any fixed program N, the length n of an instance determines the 
length m of a witness and that the function n i-+ n + m is one-to-one. We let ui^ denote 
the set of witnesses that x 6 5. 

We use PF to denote the class of polynomial-time computable functions; a function / £ 
PF need not have range {0,1}, and thus PF is a proper superset of the functions that 
compute membership of strings in sets in P. 

We let S n denote the elements of S that have length n. The symbol A denotes the default 
output of a program; it may be used to indicate that the desired output does not exist or 
that the program failed to find it. All of the generation programs that we consider take as 
input the length n, written in unary, run in polynomial time, and produce elements of S n ; 
thus we have, by definition, restricted attention to efficient generation. 

3 Invulnerable Generators 

In this section, we provide a complexity-theoretic framework in which to consider the gen- 
eration of hard, solved instances. We define precisely what it means for a distribution of 
instance-witness pairs to be "secure against polynomial-time adversaries." Our first theo- 
rem addresses the question of which sets in NP have invulnerable generators, if indeed any 
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such sets have them. Theorem 2 addresses the question of exactly how invulnerable these 
generators are. Finally, Theorem 3 addresses the question of what complexity-theoretic 
assumptions are needed to prove the existence of invulnerable generators. 

Definition: The (i,j) th generation scheme, which we denote G tiJ , is a program that, on 
input 1", first simulates Mi on input l n and obtains an output string y. If y is of the form 
(x, w), where |i| = n and w is an accepting computation of N j on input x, then G,,,- outputs 
(x,w); otherwise, it outputs A. 

Consider the following game, played between a generation scheme G,j and an adversary 
/ in PF. The input to the game is a string 1"; the first move is a run of G; T j on input 1". 
If G,j outputs a pair {x, w), then the second move is for / to output /(x); if G,-j outputs 
A, then the game ends after the first move. The function / wins the game if the generator 
outputs A, or if the generator outputs {x, w) and /(x) is an accepting computation to' of Nj 
on input x; otherwise, the generator wins. Note that w' need not equal w; for example, in 
the identification scheme of Section 1, the adversary / can compromise the security of user 
A if he computes any satisfying assignment for A's public formula — he need not discover 
the private assignment that A was given during key-distribution. 

Definition: A generation scheme is a-invulnerable, where a is a constant in [0, 1], if, for all 
/ € PF, there are infinitely many lengths n for which the probability that / wins on input 
1" is at most 1 — a. This probability is computed over runs of the game on input 1 n . 

Definition: A set S in NP is a-invulnerable, where a is a constant in [0,1], if there is a 
pair (i, j) for which Gij is a-invulnerable and S = L(Nj). 

Notice that invulnerable generators are closely related to cryptographically secure one- 
way functions. Let g be a length-preserving function in PF, and assume that any polynomial- 
time program fails to invert at least a constant fraction of <?'s outputs, on infinitely many 
lengths (where "invert" means "find some element of the preimage"). Then the image of 
g has an invulnerable generation scheme: on input 1 generate a random w of length n 
and let x equal g(w). Similarly, an invulnerable generation scheme G,j gives rise to a 
cryptographically secure one-way function. The program Af, can be viewed as a mapping 
from coin-toss sequences to pairs (x, w). Let g be the function that takes a coin-toss sequence 
to the first component x of the pair output by M;. Then g must be hard for any polynomial- 
time adversary to invert on infinitely many lengths; if it weren't the adversary could discover 
a coin-toss sequence that gives rise to (x, w), and the scheme G,,j would be vulnerable. The 
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same remarks apply if we require in both cases that adversaries fail on all sufficiently high 
lengths instead of just infinitely many lengths. 

We do not claim that a generation scheme that is invulnerable according to our definition 
is necessarily useful in practice. For example, the key-distributor in [6] would certainly like to 
know more than that there exist infinitely many lengths on which a particular polynomially 
bounded adversary can be thwarted with high probability; he would also like to know 
that such lengths are of practical size and to have a procedure for finding them. Our 
definition of invulnerability does, however, provide a good place to start a complexity- 
theoretic investigation- 
Theorem 1 (Completeness): If any NP set is a-invulnerable, for some positive a, then 
SAT is also a-invulnerable. 

Proof (sketch): The full proof proceeds in three stages. First, we construct a "universal 
generation scheme" Gu that simulates all possible generation schemes, capturing a constant 
fraction of whatever invulnerability is present in any of them. Next we construct a generator 
for SAT that applies Cook's reduction to the set Su generated by Gu in a way that preserves 
invulnerability. Finally, we show that the lost fraction of invulnerability can be recaptured. 

For the universal generator Gu, we need one program My, whose running time is bounded 
by a specific polynomial, to simulate infinitely many programs, whose individual nrnning 
times may be arbitrarily high degree polynomials. We overcome that obstacle with the 
following lemma; it guarantees that we need only consider generators {G%} in which the 
program M runs in quadratic time. 

Lemma: If Gij is a-invulnerable, then there is an a-invulnerable generation scheme G\y, ; / 
in which M;< runs in quadratic time. 

We cannot use a "generic reduction" such as the one used in Cook's proof of the NP- 
Completeness of SAT in order to construct a universal generator. Such a reduction would 
not necessarily be length-consistent (i.e., map instances of the same length to instances of the 
same length). Furthermore, even if our generic reduction mapped instances of length n to 
instances of length n k , it may not preserve invulnerability: informally, if the "hard instances" 
output by a particular generator G m represent a constant fraction a of the probability mass 
at length n, their images do not necessarily represent a constant fraction of the probability 
mass at length n k , simply because there are so many more instances of length n k . 

We use a nonstandard pairing function to overcome this difficulty. It partitions the 
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positive integers into "columns" as follows: column m, consists of all integers of the form 
2 m_1 + k • 2 m , where k > 0. Each input length n falls into exactly one column — the one 
whose index is one more than that of the least significant "l"-bit in the binary representation 
of n. On input l n , Gy first finds m, the index of the column containing n, then chooses 
an integer I uniformly from the interval [n — 2 m ,n). Next, Gu simulates G m on input l 1 to 
obtain (x,w), pads x, and outputs (xlO n ~' -1 ,u;). 

Lemma: If G m is a-invulnerable, then Gu is (a/2 ra )-invulnerable. 

Informally, to show that, for all / in PF, there are infinitely many lengths n on which / 
fails to "crack" the output of Gu with probability at least a/2 m , we show that any such / 
corresponds to a function /' that fails to crack the output of G m on infinitely many lengths 
n' with probability at least a. The loss of a factor of 2 m occurs because the "hard length" n' 
(for /' and G m ) corresponds to the hard length n (for / and Gu) such that n' £ [n — 2 m , n); 
thus Gu only chooses to simulate G m on input 1"' with probability 2~ m . (Note that a/2 m 
really is a constant, because m is just the (fixed) index of a generator in our enumeration 

To construct an (a/2 m )-invulnerable generator Gsat for SAT, we use the fact that the 
program Mu in generator Gu runs in cubic time. We modify Cook's reduction so that, 
when applied to NP machines that run in cubic time, it takes instances of length k and 
produces instances of length exactly k*. This modified Cook's reduction r also induces a 
mapping from witnesses of membership in Su to satisfying assignments of elements of SAT. 
Thus Gsat behaves as follows on input 1 n . If n is not a perfect fourth power, it outputs A. 
Otherwise, it simulates Gy on input 1*, where fc 4 = n, obtains a pair (x,to), and outputs 
r((x,w)). We prove in the full paper that Gsat is at least as invulnerable as Gy. 

Theorem 2, below, guarantees that, if SAT has an (a/2 m )-invulnerable generator, then 
it also has an a-invulnerable generator. | 

Corollary: Under the Quadratic Residuosity Assumption, the Discrete Logarithm Assump- 
tion, or the Factoring Assumption, there is an a-invulnerable generator for SAT, for some 
a €(0,1). 

Remark 1: For cryptographic purposes, one would really want more than that "there exists 
an infinite set of hard lengths" for cryptographic purposes. Note that the proof of Theorem 
1 gives some hope because, if some G m defeats an adversary on f(n) lengths between 1 and 
n, then Gu defeats the corresponding adversary on Q(t(n)) lengths between 1 and n. (This 
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would not have been true had we used a standard pairing function that stretches both of 
its arguments quadratically.) 

Theorem 2 (Amplification): If an NP set S is /?-invulnerable, for some positive /?, then 
S is also a-invulnerable, for all a € (0, 1). 

Proof (sketch): It suffices to show that a-invulnerability implies 2a /(1+ a) -invulnerability, 
because the limit of the sequence defined by a 0 = a, a, = 2a;_t/(l + a,_i) is 1. 

Intuitively, we will show how to increase the level of invulnerability in the most natural 
way: generate instances, try to crack them, and throw out the cracked ones. Suppose that 
dj is a-invulnerable and that S = L(Nj). If Gij is (a + (1 — a)/2)-invulnerable, then 
we are done, because (a + (1 — a)/2) > (2a/(l + a)); so suppose that it isn't. Then, by 
definition, there is some / € PF that wins against G,-,j on all but finitely many inputs l n 
with probability greater than (1 — a)/2. 

Consider the generator Gvj that works as follows on input l n : first it runs M; on input 
l n , just as Gij does. If Mi outputs (x,w), then Gpj computes f(x) and checks whether it 
is an accepting computation of Nj on input x. If it is, then G,/j runs M, again on input 
l n ; otherwise, Gi>j outputs {x, w). If / wins a sufficiently lajge number of successive runs 
of the game, then Gy^ outputs A. 

Clearly, G^j generates the same set as G,j, namely L(Nj). In the full paper, we show 
that Giij is (2a/(l + or))-invulnerable and derive a good enough bound on the number of 
runs of the game between / and G,j that G;>j has to simulate. | 

Remark 2: For simplicity, we have modeled the adversary as a deterministic polynomial- 
time function. Clearly, in practice one would have to guard against randomized polynomial- 
time adversaries. Theorems 1 and 2 as stated hold even if we quantify over all randomized 
polynomial-time functions in the definition of invulnerability. We give details in the full 
paper. 

Is it possible, in Theorem 1, to weaken the hypothesis that at least one set in NP is 
a-invulnerable? There are clearly oracles relative to which invulnerable generators exist. 
Indeed a random oracle will do ([19]). In all of these relativized worlds, P ^ NP. Is the 
assumption that P ^ NP sufficient to prove that invulnerable generators exist? Our next 
theorem shows that such a proof would not relativize. 

Theorem 3 (Relativization): There is an oracle B such that P B ^ NP B , and invulnerable 
generators do not exist relative to B. 
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Proof (sketch): Let B = QBF©if, where © is disjoint union, and K is an extremely sparse 
set of strings of maximum Kolmogorov complexity. Specifically, K contains one string of 
each length n,-, where the sequence n 1} n 2 , ... is defined by: ni = 2, n,- is triply exponential 
in for i > 1; if x £ K and \x\ = n, then x has Kolmogorov complexity n. The inclusion 
of QBF gives machines with access to B the full power of PSPACE. 

It is straightforward to prove that P B / NP B using the techniques in [13]. 

To show that no invulnerable generators exist relative to B, let G tlJ - be a generation 
scheme that has access to the oracle, and assume that it is a-invulnerable, for some constant 
cc in (0, 1). We derive a contradiction by producing an adversary / in PF B that can crack a 
higher fraction than 1— a of all of the instances of any length. Here is an informal description 
of / and why it works: 

The generator G, j involves a randomized polynomial-time program M; and a nondeter- 
ministic polynomial-time program Nj, both of which can query B at any step. Let n kl and 
n k2 be bounds on the running times of M; and Nj, and let k be an integer greater than 
max(fci, fo). When trying to crack an instance x of length n, f first constructs the set K ' 
consisting of all elements of K that have length less than log(n c *), where c is a suitably 
chosen constant. Because K is so sparse, there is at most one string r in K \ K ' about which 
dj may have queried B in generating an x of length n. 

Assume that N is the integer closest to n for which there is a string in K of length N. 
The difficult case is when \o^{N ck ) < n < 2 N l ck ; otherwise, / can construct a witness that 
x € L(Nj) by using queries to B' = QBF © K'. So assume, for example, that n = 2 N ^ ck . 

The cracker / first uses B' to determine whether there is a coin-toss sequence 5 that 
would cause G,j to output x on input l n if G,j were using B'. If such an s exists, then / 
can use PSPACE to construct one and in turn to construct a witness; this construction may 
or may not involve the discovery of the random string r € K \ K'. If such an s does not 
exist, then / is not able to construct a witness. We show, however, that the only time there 
is no such s (and hence the only time / fails) is when actually queried B about the 
membership of r in K . We complete the proof with a counting argument that shows that, 
if this happens with any constant probability a, then r cannot have maximum Kolmogorov 
complexity. | 
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4 Discussion, Related Work, and Open Problems 

Let 5 be an NP set and fix a specific machine N that accepts S. Recall that co^ is the 
set of accepting paths of N on input x. We say that 5 is canonically generable if there 
is a randomized polynomial-time program that, on input l n , generates pairs (z,u>), where 
|x| = n, such that the probability accorded x is proportional to \(jJ^\. The straightforward 
generation schemes given in Section 1 for Hamiltonian graphs, 3SAT formulas, and Subset 
Sum instances are all canonical, with respect to the usual types of witnesses for these sets. 

We call these generators canonical mainly because, in a sense, all generators for NP sets 
are canonical. If is a generation scheme for S, then a coin-toss sequence that causes Mi 
to output (x,w) is a witness that x £ S, and the probability accorded a particularly x is 
clearly proportional to the number of coin-toss sequences that cause it to be output. 

The straightforward canonical generation scheme for Hamiltonian graphs has this general 
form: generate w uniformly and then pick x uniformly from the set of all instances such 
that w is a witness that x is in 5. In fact, many sets in NP (e.g., SAT, graphs with perfect 
matchings, graphs with cliques of size | V(G)|/2) have canonical generation schemes of this 
form with respect to the usual types of witnesses. This leads naturally to the question of 
whether every set in NP has such a canonical generation scheme with respect to every type 
of witness. The answer to this question is no, unless the construction problem for NP sets 
can always be solved in polynomial time. (The construction problem is: given an instance 
x, find a witness if x is a yes-instance, and say that there is no witness if x is a no-instance.) 

An interesting area for further research is the relationship between generable (i.e., canon- 
ical) distributions and the "hard-on-average" distributions studied by Levin et al. ([17], see 
also [12], [15], and, more recently, [22]). Levin's randomized NP (denoted RNP) is a class 
of pairs (D,fi), where D is any decision problem in NP and \x is any probability function 
on {0,1}* (interpreted as instances of D) for which the cumulative distribution function 
p*(x) = E z<x fj,(z) is polynomial-time computable. In [22], Venkatesan and Levin extend the 
definition to construction problems in NP; the distributions they allow are still those with 
polynomial- time computable fi". 

Venkatesan and Levin exhibit a construction problem that is RNP-hard, i.e., if there 
is an algorithm that can solve it in expected polynomial time, then all RNP -construction 
problems can be solved in expected polynomial time. The distribution of instances that 
they consider is easy to generate; however, it assigns positive probability to no-instances. 
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This suggests some natural questions. Is there an RNP-hard distribution (of instances of 
a construction problem) that assigns positive probability only to yes-instances? Can that 
distribution be generated efficiently if one insists on generating witnesses along with the 
instances? Are the requirements that a distribution be efficiently generable and that it 
have an efficiently computable mutually exclusive? For example, our canonical genera- 
tion scheme for Hamiltonian graphs produces a distribution that probably does not have a 
polynomial- time computable if it did, then the #P -Complete problem of computing the 
number of Hamiltonian cycles in a graph would be solvable in polynomial time. 

Finally, we would like to mention that generation of solved instances has also been 
considered by Rardin, Tovey, and Pilcher [18]; their goal is the construction of test instances 
for heuristic algorithms. 
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It is the aim to deal with codes having unconditional security, which means that the 
security is independent of the computing power. Analogously to the theory of uncon- 
ditional secrecy due to Shannon [12], Simmons developed a theory of unconditional 
authentication [10]. In this paper we give some new bounds and constructions for au- 
thentication/secrecy codes with splitting. 

Consider a transmitter who wants to communicate a source to a remote receiver by 
sending messages through an imperfect communication channel. Then there are two 
fundamentally different ways in which the receiver can be deceived. The channel may 
be noisy so that the symbols in the transmitted message can be received in error, or 
the channel may be under control of an opponent who can either deliberately modify 
legitimate messages or else introduce fraudulent ones. Simmons [10] showed that both 
problems could be modeled in complete generality by replacing the classical noisy com- 
munications channel of coding theory with a game - theoretic noiseless channel in which 
an intelligent opponent, who knows the system and can observe the channel, plays so as 
to optimize his chances of deceiving the receiver. To provide some degree of immunity 
to deception (of the receiver), the transmitter also introduces redundancy in this case, 
but does so in such a way that, for any message the transmitter may send, the altered 
messages that the opponent would introduce using his optimal strategy are spread ran- 
domly. Authentication theory is concerned with devising and analizing schemes (codes) 
to achieve this "spreading". 

In the mathematical model there are three participants: a transmitter, a receiver and 
an opponent. The transmitter wants to communicate some information to the receiver. 
The opponent wanting to deceive the receiver, can either impersonate the receiver, ma- 
king him accept a fraudulent message as authentic, or, modify a message which has 
been sent by the transmitter. 

Let S denote the set of k source states, M the set of v messages and E the set of b 
encoding rules. 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 311-317, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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A source state s 6 S is the information that the transmitter wishes to communicate to 
the receiver. The transmitter and receiver will have secretly chosen an encoding rule 
e 6 E beforehand. An encoding rule e will be used to determine the message e(,s) to be 
sent to communicate any source state s. In a model with splitting, several messages can 
be used to determine a particular source state. However, in order for a receiver to be 
able to uniquely determine the source state from the message sent, there can be at most 
one source state which is encoded by any given message m £ M, for a given encoding 
rule e 6 E (this means: e(s) ^ e(s') if ^ •*')• 

An opponent will play impersonation or substitution. When the opponent plays 
impersonation, he sends a message to the receiver, attempting to have the receiver ac- 
cept the message as authentic. When the opponent plays substitution, he waits until a 
message m has been sent, and then replaces m with another message m', so that the 
receiver is misled as to the state of source. More generally, an opponent can observe i 
(> 0) distinct messages being sent over the channel knowing that the same key is used 
to transmit them, but ignoring this key. If we consider the code as a secrecy system, 
then we make the assumption that the opponent can only observe the messages being 
sent. Our goal is that the opponent be unable to determine any information regarding 
the i source states from the i messages he has observed. 

We shall use the following notations. Given an encoding rule e, we define M(e) = 
{e(j)|j 6 5}, i.e. the set of messages permitted by encoding rule e, and let |Af(e)| = 
k(e). For a set of distinct messages M' C M and an encoding rule e, define f e {M') = 
{s £ S\e(s) € M'}, i.e. the set of source states which will be encoded under encoding 
rule e by a message in M'. Define also E(M') = {e £ E\M' C M(e)}, i.e. the set of 
encoding rules under which all the messages in M' are permitted. 

The following scenario for authentication is investigated. After the observation of i 
messages M' C M , the opponent sends a message ml to the receiver, m' $ M', hoping 
to have it accepted as authentic. This is called a spoofing attack of order i [6], with 
the special cases i = 0 and i = 1 corresponding respectively to the impersonation and 
substitution game. The last games have been studied extensively by several authors 
(see [2], [5], [10], [13]). 



313 



For any i, there will be a probability on the set of i source states which occur. We 
ignore the order in which the i source states occur, and assume that no source state 
occurs more than once. Also, we assume that any set of i source states has a non-zero 
probability of occuring. Given a set of i source states, we define p(S) to be the proba- 
bility that the source states in S occur. 

Given the probability distributions on the source states described above, the receiver 
and transmitter will choose a probability distribution for E, called an encoding stra- 
tegy. If splitting occurs, then they will also determine a splitting strategy to determine 
m € M, given s € S and e € E (this corresponds to non-deterministic encoding). The 
transmitter /receiver will determine these strategies to minimize the chance that an op- 
ponent can deceive them. 

Once the transmitter/receiver have chosen encoding and splitting strategies, we can 
define for each i > 0 a probability denoted P^, which is the probability that the oppo- 
nent can deceive the transmitter/receiver with a spoofing attack of order i. We denote 
by AC(k,v,b) an authentication system with k source states, v messages and b encoding 
rules. 

1 Secrecy 

Considering the secrecy of a code, we desire no information be conveyed by the obser- 
vation of the messsages. A code has perfect L-fold secrecy (Stinson [14]) if, for every set 
Mi of at most L messages observed in the channel, and for every set Sj of at most \M\\ 
source states, we have p(Si/Mi) = p(Si). This means that observing a set of at most L 
messages in the channel does not help the opponent to determine the L source states. 
On the other hand, a code is said to be Cartesian ([2], [13]) if any message uniquely 
determines the source state, independent of the particular encoding rule being used . 

2 Bounds on and b 

Bounds on P^ and P^ for authentication codes with splitting depending on the entropies 
of the various probability distributions can be found in [2], [9], [10], [13] and [14]. The 
most important bounds are given by: 
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> 2H{MES)-H(E)-B(M) _ 2B{M\ES)+B{S)-H{M) 

and for a substitution with secrecy 

Pd > 2~ H ( EIM ^ = 2 B W > ~ H ( E }~ H ^ +B ^ MIES ' 1 ■ 
The following bounds for an impersonation, resp. a substitution game are proven in 

[4]: 

k(e) 

Pd* > min^E-^ (see also [9] [10]), 
v 

D ^ • k(e) -max, €S \e(s)\ 

f d > min ceE • 

v — max, e s]e{s)\ 

For codes without splitting this results in the known bounds > k/v and > 
(k-l)/{v-l) ([6], [13], [14]). 

These bounds can also be generalized for a spoofing attack of order i [4] to 

D ^ • H e ) ~ * ■ maz, eS \e{s)\ 

f di > min e€E : . • 

v — i ' max, gsFV- 8 )! 

An authentication system which achieves equality Vi, 0 < i < L, is called L-fold secure 
against spoofing (this is a generalization of the definition for codes without splitting, see 
[6], [14])- 

The number of keys is basically influenced by the following two aspects: (i) the 
distribution on the source states and (ii) the secrecy of the code. In [4] we obtain the 
following bound: 

If a code achieves perfect L-fold secrecy and is (L — l)-fold secure against spoofing, then 

> v ■ {v - max, €S \e(s)\) ■■■(v-(L-l)- max ,e S \e{s)\) 

LI 

Analogously as for codes without splitting [14], we define an optimal L-code to be a code 
which achieves perfect X-fold secrecy, which is (L — l)-fold secure against spoofing and 
which meets equality in the foregoing formula. 
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3 Constructions for authentication codes -with arbi- 
trary source distribution 

3.1 Authentication codes derived from partial geometries 

A (finite) partial geometry (PG) is an incidence structure Q ={P,B,I) in which P and 
B are disjoint (nonempty) sets of objects called points and lines resp., and for which I 
is a symmetric point-line incidence relation satisfying the following axioms: 

1. Each point is incident with 1 + 1 lines (t > 1) and two distinct points are incident 
with at most one line. 

2. Each line is incident with I + s points (s > 1) and two distinct lines are incident 
with at most one point. 

3. If a; is a point and L a line not incident with x, then there are exactly a, 

(a > 1) points Xi, x-i, . . . ,x a and a lines Li, Li, . . . , L a such that x I Li I x; IL, 
i = 1,2,. ..,a. 

Partial geometries were introduced by R. C. Bose. The partial geometries with a = 1 
are the generalized quadrangles (GQ). 

There holds |P| = (s + l)(st + a)/a, \B\ = (t + l)(st + a)/a, 
a(s + t + l- a)\st{s + l)(t + 1) and (s + 1 - 2a)t <{s- l)(s + 1 - af (and dually). 
We remark that the dual incidence structure G' = (P', £',/'), P' = B, B' = P, I' = I, 
is a partial geometry with parameters t' = s, s' = t and a' - a. 
Further information about PG and GQ can be found in [7]. 

1. From a generalized quadrangle of order (s, t), s, t > 1, we can define the following 
two authentication codes without splitting [3]. 

• A GQ of order (s,t) defines a cartesian AC{t -f 1, (f + l)s, ts 2 ) which is 0-fold 
secure against spoofing and for which P^ =1/5. 

• If the GQ contains a regular point, the foregoing code can be improved to an 
A C(t + 1, (t -j- 1)5, (t + l)s 2 ) which is 0-fold secure against spoofing, which has 
perfect 1-fold secrecy, and for which P^ = 1/s. 
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2. A PG with parameters s,t > 1, a > 1 defines an AC(t + 1, {t + l)s, (t + l)st{s + l - 
a)) code which, has 0-fold security against spoofing and which has perfect 1-fold 
secrecy [4]. 

3. A spread of a PG Q is a set TZ of lines of Q such that each point of Q is incident 
with a unique line of TZ. Hence there holds |7?.| = (st + a) fa- 
Let Q be a PG with parameters s,t > 1, a > 1, containing a spread TZ. Then we 
can define the following authentication codes. 

• For a > 1, Q defines an optimal 1-code with splitting [4]. 

• For a = 1, Q defines an optimal 1-code without splitting [3]. 

3.2 Authentication codes derived from designs 

Consider an affine resolvable BIB-design. This is a 2-(v,k, A) design V —{P,B,I) for 
which there exists a partition of B = B\ U B 2 ■ ■ ■ B T of the block set, \B{\ = n, such that 
each point occurs exactly once in the blocks of any set B,-, 1 < i < r and any two blocks 
of different sets have exactly fi > 0, points in common [1]. There holds \B\ = rn, 
\P\ = kn, A = r(k — l)/(nfc — 1) and k = fin. 

In [4] we construct the following authentication code with splitting: 

An affine resolvable design D defines an AC(n,kn,(r — l)n s ) which is Q-fold secure 
against spoofing, which has 1-fold secrecy, and for which = A/(r — 1). 
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Introduction 

The use of credit cards today is an act of faith on the part of all concerned. Each party 
is vulnerable to fraud by the others, and the cardholder in particular has no protection 
against surveillance. 

Paper cash is considered to have a significant advantage over credit cards with 
respect to privacy, although the serial numbers on cash make it traceable in principle. 
Chaum has introduced unconditionally untraceable electronic money([C85] and [C88]). 
But what is to prevent anyone from making several copies of an electronic coin and 
using them at different shops? On-line clearing is one possible solution though a rather 
expensive one. Paper banknotes don't present this problem, since making exact copies 
of them is thought to be infeasible. Nor do credit cards, because their unique identity 
lets the bank take legal action to regain overdrawn balances, and the bank can add 
cards to a blacklist. 

Generating an electronic cash should be difficult for anyone, unless it is done in 
cooperation with the bank. The RSA digital signature scheme can be used to realize 
untraceable electronic money as proposed in [C85 and C88]. This money might be 
of the form (x,f(x) 1 ^ 3 (mod n)) where n is some composite whose factorization is 
known only to the bank and / is a suitable one-way function. The protocol for issuing 
and spending such money can be summarized as follows: 
1. Alice chooses a random x and r, and supplies the bank with B = r 3 f(x) (mod n)). 

t Work done while the second and third authors were at the University of California 
at Berkeley. The work of the second author was supported by a Weizmann Postdoctoral 
Fellowship and by NSF Grants DCR 84-11954 and DCR 85-13926. The work of the third 
author was supported by NSF Grants DCR 85-13926 and CCR 88-13632. 
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2. The bank returns the third root of B modulo n: r ■ Z(x) 1 / 3 (mod n) and with- 
draws one dollar from her account. 

3. Alice extracts C = /(x) 1 / 3 mod n from B. 

4. To pay Bob one dollar, Alice gives him the pair (x,f{x) l l z (mod n)). 

5. Bob immediately calls the bank, verifying that this electronic coin has not already 
been deposited. 

Everyone can easily verify that the coin has the right structure and has been signed by 
the bank, yet the bank cannot link this specific coin to Alice's account. 

Among other advantages, the new approach presented here removes the require- 
ment that the shopkeeper must contact the bank during every transaction. If Alice 
uses a coin only once, her privacy is protected unconditionally. But if Alice reuses a 
coin, the bank can trace it to her account and can prove that she has used it twice. 

Our work is motivated by that on minimum disclosure ([C86], [BC86a], [BC86b] 
and [BCC]) and on zero-knowledge ([GMR], [GMW86aj and [GMW86b]). Our scheme 
protects Alice's privacy unconditionally as is possible with the former, rather than 
computationally as in the latter. Using these very general results - which seem to be 
infeasible in practice - the security of the protocols presented here could be reduced to, 
say factoring (or any onw-way permutation if Alice's privacy is only computationally 
secure). Instead, We use the cut-and-choose methodology (first introduced in [R77]) 
directly, yielding quite practical constructions. 

The next section presents our basic scheme, which guarantees untraceability, yet 
allows the bank to trace a "repeat spender". We then show how to modify the protocol 
so that the bank can supply incontestable proof that Alice has reused her money. 
Finally, we give a more efficient variant and briefly discuss further work. 

1. Untraceable Coins 

The bank initially publishes an RSA modulus n whose factorization is kept se- 
cret and for which <j>(n) has no small odd factors. The bank also sets some security 
parameter k. 

Let / and g be two-argument collision-free functions; that is, for any particular 
such function, it is infeasible to find two inputs that map to the same point. We 
require that / be "similar to a random oracle". For unconditional untraceability we 
also require g to have the property that fixing the first argument gives a one-to-one (or 
c to 1) map from the second argument onto the range. 

Alice has a bank account numbered u and the bank keeps a counter v associated 
with it. Let © denote bitwise exclusive or and || denote concatenation. 

To get an electronic coin, Alice conducts the following protocol with the bank: 
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1. Alice chooses a,-,c,-,<ij and r;, 1 < i < k, independently and uniformly at random 
from the residues (mod n). 

2. Alice forms and sends to the bank k blinded candidates (called B for mnemonic 
purposes) 

Bi = ri 3 ■ f{xi,yi) mod n for 1 < i < k, 

where 

Xi = g(a.i,Ci) yi = g(ai © (u\\(v + i)),di). 

3. The bank chooses a random subset of fc/2 blinded candidate indices R = {»_,}, 
1 < ij < k for 1 < j < fc/2 and transmits it to Alice. 

4. Alice displays the rj, a<, c< and d{ values for all » in R, and the bank checks them. 
Note that u||(t; + t) is known to the bank. To simplify notation we will assume 
that R = {k/2 + l,k/2 + 2,...,k}. 

5. The bank gives Alice 

n5, 1/3 = II B^modn 

i(R i<;<fc/2 

and charges her account one dollar. The bank also increments Alice's counter v 
by k. 

6. Alice can then easily extract the electronic coin 

C= II /(*«, »0 1/3 mod »• 

l<i<k/2 

Alice reindexes the candidates in C to be lexicographic on their representation: 
f(xiiVi) < f(x2,yi) < ■■• < /(x fc / 2 ,yfc/ 2 ). Alice also increments her copy of the 
counter v by k. 

Note: For any fixed e, if fewer than (1 - e) of the k blinded candidates 5,-'s have the 
proper form (r 3 /(^(a,-, Ci),g(a.i ®(u||(t; + i)),dj))), then Alice is caught with probability 
1 — exp(— cek) for some constant c. 

To pay Bob one dollar, Alice and Bob proceed as follows: 

1. Alice sends C to Bob. 

2. Bob chooses a random binary string z\,zi, . . . ,Zk/2- 

3. Alice responds as follows, for all 1 < i < k/2: 

a. If Zj = 1, then Alice sends Bob a;, Cj and yi. 

b. If Zi = 0, then Alice sends Bob a:,-, aj © (u||(» + «')) and 

4. Bob verifies that C is of the proper form and that Alice's responses fit C. 

5. Bob later sends C and Alice's responses to the bank, which verifies their correctness 
and credits his account. 
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The bank must store C, the binary string z\,...,Zk and the values a,- (for Zi = 1) 
and a; © (for Zj = 0). 

If Alice uses the same coin C twice, then she has a high probability of being traced: 
with high probability, two different shopkeepers will send complementary binary values 
for at least one bit Zi for which B; was of the proper form. The bank can easily search 
its records to ensure that C has not been used before. If Alice uses C twice, then, with 
high probability, the bank has both a< and a, ® (w||(v + »)) w i tn high probability. Thus, 
the bank can isolate u and trace the payment to Alice's account. 

A possible problem with this scheme is a collusion between Alice and a second 
shopkeeper Charlie. After the transaction with Bob, Alice describes the transaction 
to Charlie, and both Bob and Charlie send the bank the same information; the bank 
knows that with very high probability one of them is lying, but has no way of telling 
which one, and cannot trace the coin to Alice's account 

By fixing Bob's challenge to Alice, however, such a coalition can be kept from 
defrauding the bank. Every shopkeeper has a fixed query string, and every two strings 
have Hamming distance at least ck for some constant c. To prevent Alice from reusing 
the same coin at the same shop part of the challenge should still be random, or the 
shopkeeper should maintain his own list. 

The scheme we describe above requires Alice to hold several coin denominations 
and use them to pay the exact amount. Section 3 presents a more efficient way to 
handle exact amounts. 

2. Proving Multiple Spending 

The scheme we describe above has the unfortunate property that the bank can frame 
Alice as a multiple spender. This means that these schemes cannot have any legal 
significance. To prevent a frame-up we assume that Alice has a digital signature scheme 
and a certified copy of her public key. Because we use digital signatures, Alice is 
protected against frame-up only computationally, not unconditionally. Yet, Alice's 
privacy remains unconditionally protected. 

Rather than use the same account number u for all coins given to Alice, u will 
vary from coin to coin and from one blinded candidate to the next. We describe only 
the modifications to the basic scheme of section one. 

Alice chooses two random integers z\ and z" for every i; u, could then be chosen 
of the form "Alice's Account Number" || z' || z" . Along with the blinded candidates ( 
the Bi values) Alice supplies the bank with a digital signature on 
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During the cut-and-choose, the bank verifies that each of the k/2 2?;'s it exam- 
ines generate an appropriate iij. The bank has legal proof that Alice reused the coin 
whenever it can present the preimage of at least k/2 + 1 of the g{z\, z"). 

Of course Alice has no hope if the bank can break the signature scheme she has 
chosen. Assuming the bank cannot forge her signature, then even if the bank can break 
g, its bijective property mentioned earlier ensures, with high probability, that she can 
prove g was broken by showing her (z[,z") for any broken g{z[,z'-). This is a proof, 
since the assumption is that only the bank and not Alice can break g. 

3. Untraceable Checks 

The following scheme emulates the concept of guaranteed checks (similar to that of 
EuroChecks), but ensures untraceability. Alice requests a set of checks, whereby she 
can use each check for any single amount up to its limit and can later request a refund 
for the difference (limit minus actual sum). The bank will not know where the money 
was spent, nor the individual transaction amounts. 

Alice can generate several checks in one interaction with the bank. The checks are 
similar to the basic version described in section one, but the first j factors are used 
to encode the purchase sum and the next k — j factors are used to prevent Alice from 
using any check more than once. 

The bank publishes two different RSA moduli, n and n', which are used for two 
different kinds of digital signature. 

Alice's u can be used either as in section one or in section two. As before, let v be 
Alice's personal counter. 

Alice sends the bank t pairs of major and minor candidates. For every major 
candidate Alice chooses 6, c, d, and a at random; a major candidate Mi is of the form 
f(x,y) where x = g(a\\b,c) and y = g{a © {u\\(v + i)),d) . Each minor candidate is of 
the form g(b, e) where e is chosen at random. Alice generates several major candidates 
M\, M2, . . . , M t and their related minor candidates mj, m 2 , . . . ,m t . 

Alice blinds the major and minor terms before submitting them to the bank. 
Blinded major candidates are of the form B(Mi) = r 3 * ■ Mi mod n, where r is chosen 
at random; blinded minor candidates are of the form S(m,) = r 3 * • m< mod n'. If the 
bank provides some 3'th root of a blinded major(minor) term, i < k, then, as before, 
Alice can extract the appropriate root of the major(minor) term itself. 

Alice sends the blinded A/j's and m^'s to the bank. Much as in section two, the 
bank performs a cut-and-choose operation, verifying that 1/2 of the pairs have the 
proper form. Then the bank performs a random permutation of the rest, group- 
ing them into ordered sets of size k. Let one such set be denoted for simplicity 
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B(Mi),B(M 2 ),... ,B(M k ). The bank extracts the following roots: 

Ft = 5(Mi) 1/3 ' (mod n) for 1 < i < k, 
Di = J?(mi) 1/3i (mod ri) for 1 < i < j. 

The bank now returns the product of the k roots of blinded major candidates 
dlf=i ^<)> tne appropriate roots of the j blinded minor candidates are returned indi- 
vidually. Alice extracts the check 

C = f[Mi /3 ' 

and E\,Ei, . . . ,Ej, where E{ = m 1 / 3 . 

The bank now increments Alice's counter v by t, Alice does likewise to her local 
copy. 

To make a purchase with such a check Alice encodes the purchase sum by regarding 
the first j of the M t locations as denominations 1,2, . . ,,2'~ 1 . If the ith denomination 
is a term in the purchase sum, then Alice reveals to the shopkeeper the appropriate yi 
and the preimages of the Xi\ if the ith denomination is not a term in the purchase sum, 
then Alice reveals Xi and j/;. Thus, later presenting E{ and the internal structure of 
the matching roj term to the bank for a refund is safe exactly when the denomination 
is not spent. 

Note: Given a root of the form Z 1 / 3 ' , it is trivial to compute roots of the form x 1 / 3 ' for 
j < i. Thus, Alice could use the denomination 2 J , not use the denomination 2', j < i, 
and present the bani with the value 

El~ j = (mV 3 ' J'-'' = m] /3 ' = g(b, e) 1 ' 3 ' (mod n'), 

claiming that this is a signed minor term for an unused 2 J denomination. The bank has 
no trace of the appropriate 6 value and would grant the refund. Fortunately, this would 
not be in Alice's interest, since she would get a smaller refund than she is entitled to. 

The last k — j major terms prevent Alice from using the check more than once, 
Even if the purchase amount is exactly the same. As in section one, the shopkeeper 
could present a random challenge or every shopkeeper has a probe sequence for these 
k — j terms chosen from a code with large Hamming distance. 

Alice does however, have a good chance of successfully cheating the bank with 
respect to the refund. All she needs is two unrelated major and minor terms. Still, 
this type of cheating is far less dangerous than having an open check that can be used 
over and over again. The bank could penalize Alice whenever it detects an attempt at 
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cheating, negating Alice's expected profit from cheating attempts. A variation would 
allocate two major terms per denomination, making the probability of cheating much 
smaller. 

4. Blacklisting Withdrawals 

It may be desirable that if Alice uses a coin twice then the bank can blacklist all of the 
coins Alice has withdrawn. Obviously, this means that all her coins must be related in 
some manner. The idea is to encrypt some redundancy in Alice's "random" choices; 
this redundancy can be recognized only when Alice spends a coin more than once. 
Alice's privacy is thus protected only computationally, not unconditionally. 

Consider the basic scheme: Alice sends the bank k blinded candidates of the form 
r 3 f(g(a,c),g(a © (u\\(v + i)),d)) where a,c and d are chosen at random by Alice, v is 
Alice's counter, t is the candidate serial number and u is Alice's account number. We 
modify the protocol so that Alice generates b electronic coins simultaneously. 

Alice sends the bank bk blinded candidates as a matrix 



Bi\ 


B\i . 
B-ii ■ 


■ B lk \ 

• B2k 




Bb2 ■ 


.. B b J 



The bank ask's to see k/2 columns in their entirety. Each Bij should be of the 

form 

i$jf(s(.*i3>*j)Maij © ( u \\ k i\\( v + *' + j))' d u))- 

Alice chooses r;j, a^- at random per blinded term and chooses kj at random per column. 

Let {hi} be a family of one-way functions. Each c;j is of the form h) j (c^-j ; 
each d{j is of the form hi^d'^Wd'^. Alice chooses c[j and d' tj at random per blinded 
term. 

The bank can easily verify that each of the k/2 columns it sees is of the proper form. 
For notational simplicity, we assume that the bank asks to see columns k/2 +l,...,k. 
The bank then supplies Alice with b products 

p i= n B T ( m ° dn ) 

l<J<fc/2 

and charges her account b dollars. 
Alice can then easily extract 

Ci= II fiai^^i^^^ijQiuWljWiv + ki + j))^^))^ 3 (mod n), for 1 < i < b. 

l<j<fc/2 
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Alice also arranges the factors into lexicographic sequence. 

These coins are used exactly as in the basic scheme, except that the shopkeeper 
has the set of blacklisted indices L. If the merchant sends ej = 1, then Alice must 
reveal the appropriate a,c and y. The shopkeeper computes f(g(a,c),y) and checks 
that c = c"\\d does not satisfy c" = hi(c') for all I € L. Similarly, if the shopkeeper 
sends ej = 0, then Alice must reveal the appropriate x,a © (uHfylKr + ki + j)) and 
d = d"\\d' . Again, the shopkeeper checks that d" ^ hi(d') for all I g L. 

If Alice uses any coin more than once then the bank adds the appropriate revealed 
kj's to the blacklist supplied to the merchants. 

5. Further Work 

In forthcoming work, Chaum and Impagliazzo investigate formal requirements for the 
function / and den Boer has proposed suitable g's whose security is reducible to fac- 
toring or to discrete log. A good deal of progress has been made towards establishing 
the overall security of similar protocols [CE87]. Formal proofs for the protocols of this 
paper, however, remain an open challenge. 
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Summary 

Payment systems and credential mechanisms are protocols allowing individuals to 
conduct a wide range of financial and social activities while preventing even infinitely 
powerful and cooperating organizations from monitoring these activities. These concepts 
were invented and first studied by David Chaum. 

Clearly, such systems must also be secure against abuse by individuals (prevent them 
from showing credentials that have not been issued to them, etc.). In this work, we present 
constructions for which we can prove, that no individual can cheat successfully, unless he 
possesses an algorithm that contradicts a single plausible intractability assumption. This 
can be done while maintaining the unconditional security against abuse by organizations. 

Our construction will work using any general two-party computation protocol with 
unconditional privacy for one party, and any signature scheme secure against adaptive 
chosen message attacks (these concepts are explained in more detail later). From the sig- 
nature scheme by Bellare and Micali [BeMi] and the multiparty computation protocol by 
Chaum, Damgard and van de Graaf [ChDaGr], it will be clear that both requirements can 
be met if pairs of claw free functions and trapdoor one-way permutations exist. This, in 
turn, is satisfied, for example if factoring Blum integers is a hard problem. 

For credential mechanisms, we obtain an additional advantage over one earlier propo- 
sals [ChEv], where a center trusted by the organizations (but not by individuals) was 
needed. This center possessed a "master" secret allowing it to issue all types of credentials 
supported by the system. Moreover, the center had to be on-line permanentiy. In our con- 
struction, only an off-line center is needed, which only has to be trusted as far as validating 
the identity of each individual is concerned. Only organizations authorized to issue a 
given type of credential have the ability to compute them. 

'This research was supported by the Danish Natural Science Research Council. 
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1. Related Work 

In earlier work, Chaum [Ch] and Chaum and Evertse [ChEv] have proposed ways to 
implement payment systems and credential mechanisms, and have established their secu- 
rity against infinitely powerful organizations by information theoretic arguments. While 
these constructions were quite practical, they left some open questions with regard to the 
security against abuse by individuals: For payment systems, this security depended on the 
assumption that RSA used for signatures, along with some redundancy scheme or one way 
function, is secure against a chosen message attack. So far, no one has been able to reduce 
this to some widely accepted intractability assumption, and in fact many proposed redun- 
dancy schemes have subsequently been broken. For credential mechanisms, the security 
could only be proved in a restricted, formal model, where potentially bad interaction 
between RSA and the one way function used was abstracted away. Moreover, an assump- 
tion about a very powerful center was needed, as outlined in the summary above (note, 
however, that Chaum [Ch2] has later modified the construction to do without this last 
assumption). 

Chaum [Ch3] has also designed a credential mechanism which has provable security, 
but is based on the specific homomorphic properties of RSA. This protocol is much 
slower than [ChEv], although not completely unresonable in practice. 

By contrast, our work is of mainly theoretical interest: while the protocols con- 
structed are probably not practical in the forseeable future, the main purpose of our work is 
to establish the existence of credential mechanisms and payment systems with respect to as 
weak an intractability assumption as possible. 

In independent work, Chaum [Ch2] has designed a protocol construction with some 
properties quite similar to ours, in terms of feasibility, the intractability assumption 
needed, and the problems that can be solved by the protocols. Chaum's solution uses 
interactive proofs, and not multiparty computations. Compared to our work, the process of 
creating a credential is simplified, while the process of showing one is slightly more com- 
plicated. 

2. Basic Results 

A pair of functions (/ 0 , / 1 ) is called claw free if 
- Imtfo^ImCA). 

Both functions are t to 1 mappings for some constant r . 

Both / 0 and / { are easy to compute, but it is hard to find a claw , i.e. r , s , such that 
fo(r)=f l (s). 

It is well known that claw free pairs of permutations exist, for example if factoring a 
Blum-integer is hard. A Blum-integer is an integer n =pq, where p and q are primes 
congruent to 3 modulo 4. As an easy example, consider 

f o(x) = x 2 mod n , and / [(x) = (a-xj 1 mod n , 

where a has Jacobi symbol -1. It is elementary to prove that these functions permute the 
set of quadratic residues modulo n , and that knowledge of a claw immediately implies 
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knowledge of the factors of n . If the functions are easy to invert, given some extra infor- 
mation, they are called trapdoor . The example above clearly has this property: knowledge 
of the factors of n suffices to extract square roots modulo n . Although more details would 
be required for a formal definition, the above will do for this abstract. Details on claw-free 
functions and their cryptographic applications can be found in [Da]. 

Our protocols are based on the following two results: 
Theorem 1. [BeMi] 

If one-way trapdoor permutations exist, then there exists a signature scheme which is 
secure against an adaptive chosen message attack □ 

Here, "secure" means that an enemy will not be able to produce even a single mes- 
sage m and a valid signature for it, if he has not seen a signature for m produced by the 
real signer. This signature system will be called "The BM signature scheme" in the fol- 
lowing. 

Theorem 2. [ChDaGr] 

If clawfree pairs of functions exist, and trapdoor one-way permutations exist, then there 
exists a protocol allowing parties A and B to carry out any (probabilistic) computation 
with private input, such that the secrets of A are unconditionally protected, and the secrets 
of B are protected, if A cannot invert the one way trapdoor permutation used □ 

This protocol can easily be generalized such that also the output is kept secret to one 
party. Note also that the unconditional protection of one party is essential to the "uncondi- 
tional untraceability", that we want from the systems constructed in the following. There- 
fore other general computation protocols [Ya], [GoMiWi] cannot be used. 

One of the main ideas in this protocol is that, using a pair (f 0 J L ) of claw free func- 
tions, it is possible for participant A to commit to a choice of a bit, without giving away 
any Shannon information about her choice: having chosen be {0,1} , A chooses uni- 
formly .r e domain {f b ), and computes the commitment , f b (x ). If she chooses to do so, A 
can later open the commitment by revealing x , this will convince everybody about her ori- 
ginal choice. 

Since both functions are t to 1 mappings, even an infinitely .powerful receiver will not 
be able to compute anything about b from the commitment; and by the claw freeness, a 
polynomially bounded A will not be able to open a commitment in more than one way. 
Note, however, that any method for establishing such commitments can be used by the 
protocol, and that the existence of pairs of claw free functions is not a necessary condition 
for the existence of bit commitment schemes. 

In the protocols considered in this paper, we have two kinds of participants: individu- 
als with limited (polynomially bounded) computing power, and organizations, which may 
have unlimited computing power, but are not required to use it in the protocols. Given 
organization O and individual ^4 , consider the following interaction: 
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1) O chooses an instance of the BM signature scheme, and sends the public key to A . 

2) A chooses some message m . 

3) A and 0 use the protocol from Theorem 2 to compute 0 's signature on m . The pro- 
tocol is set up, such that A is unconditionally protected and enters m as private out- 
put, while O enters the secret key to the signature scheme. Also, the signature is 
private output for A . 

4) Steps 2) and 3) are repeated a number of times, polynomial in the security parameter. 

Let us remark that the security parameter is simply an integer that measures the work 
that has to be done in the protocol, and the cryptographic security. 

Theorem 3. 

After the above interaction, the following hold: 

i) 0 has no information in the Shannon sense about the m 's chosen by A . 

ii) A is not able to compute O 's signature on any message with non negligible probabil- 
ity, unless it has been chosen in step 2) at some point. 

Proof (sketch). 

i) is clear from Theorem 2. 

Assume ii) is false. Then the following procedure will break the BM scheme under an 
adaptive chosen message attack, contradicting Theorem 1: 

We simply run A 's algorithm, and each time A has executed step 2), we use the chosen 
message attack to obtain a valid signature on the m that was chosen. With this informa- 
tion, we can simulate A 's interaction with 0 in step 3) without knowing the secret key. 
By the minimum-knowledge property of the computation protocol, the messages sent in 
the simulated interaction have a distribution which is polynomially indistinguishable from 
those sent in a conversation with the real 0 . In particular, this means that A 's probability 
of outputting a new, signed message is essentially the same in the simulation as in the 
actual interaction with O □ 

3. Payment Systems 

In a payment system, we have one special participant called the bank (B ). In addi- 
tion, we have a set of individuals, and a set of organizations. 

Each individual can do a special interaction with B called a withdrawal (one can 
think of this as the individual withdrawing money from his account). If B is willing to 
participate, then after completion of the withdrawal, the individual can compute one ele- 
ment in a set of numbers called EC . A number in EC is called an electronic coin (ec). 
Each individual can submit the ec 's he possesses to organizations as payment. The organ- 
ization will then, possibly by interacting with B , decide whether to accept the payment. 
The purpose of a payment system is to ensure that: 

1) Each ec can be submitted and accepted as payment exactly once. 
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2) At some point of time, consider the set Q of successful withdrawals. Let A be the set 
of ec 's accepted by organizations. Assuming that 1) holds, A must correspond in a 
natural way to a subset of £1, i.e. there is an injective map, / : A — » Q, such that when 
/ (5) = CO, then co is exactly the withdrawal which enabled that individual to later 
transmit 8 to some organization. We now require, that at each point of time, no 
matter which strategy the organizations (including the bank) follow, and no matter 
how much computing power they have, the probability distribution on / they can 
compute will be the uniform distribution over all injective mappings from A to Q. 

Based on Theorem 3., a payment system is easily designed: Assume individual A has 
an account in bank B . The bank chooses an instance of the BM-signature scheme, and we 
fix the rule that any number signed with this instance is an ec . 

When A wishes to conduct a withdrawal, he chooses a random number R and gets the 
bank's signature on it by doing the computation protocol from Theorem 2 with the bank. 
Since R is entered as private input from A , B gets no information on the numbers signed. 
After this, the bank deducts the corresponding amount from A 's account. When A wants 
to spend his money, say in shop S , he gives R and the signature to 5 . S will send this to 
B , who will check if R has been submitted before, and whether the signature is valid. The 
bank then puts money on the account of S and informs S about acceptance of the payment. 

It follows easily from Theorem 3 that A will not be able to spend money without 
receiving it from the bank first, and that the bank will not be able to trace any number it 
receives, back to a particular individual, i.e. condition 2) above is satisfied, and condition 
1) holds relative to our intractability assumption. 

In contrast with the credential mechanism to be outlined later, this system needs an 
on-line participant, namely the bank. This seems to be an inherent property in systems 
were numbers are worth money, and you want to prevent individuals from using a number 
more than once. 

4. Credential Mechanisms 

For this, we need the concept of unconditionally secure bit commitments, as explained 
in Section 2. 

What we are looking for is a method allowing organization 0 to transmit personal 
information about individual A , say, to some other organization. Typically, this informa- 
tion takes the form of a credential , i.e. a message saying that a given individual satisfies 
some "predicate": he can drive a car, passed an exam, etc. At the same time, we want to 
prevent organizations from building complete records on the behavior of an individual, i.e. 
find out which credentials he possesses, who he shows them to, etc. Following the ideas of 
[ChEv], we will let each individual represent himself by different pseudonyms with 
different organizations. Assume that some unique bit string ID (A ) (name, address, etc.) is 
attached to each individual A . Then a pseudonym in our case will be a set of uncondition- 
ally secure bit commitments to the bits in ID (A ). A will compute one such set for each 
organization, he interacts with. 
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In order for a credential mechanism to be useful, it has to satisfy 2 basic properties: 

1) No individual can show a credential to anyone, unless it has been properly issued to 
him. 

2) The credential mechanism reveals no Shannon information about which pseudonyms 
apply to the same individual. 

Property 2) must be stated a little more precisely before it can be formally proved, but 
it will do for the informal reasoning in this abstract. 

A more complete and formal definition of the concept of a credential mechanism can 
be found in [ChEv]. 

To set up our construction, we need one special organization, called Z, which will be 
used to validate once and for all each individual in the system. Z starts by choosing its 
own instance of the BM scheme and sending the public key to all participants. 

The following protocol is executed for each individual A : 

a) A sends ID (A ) to Z , and Z checks this against A . Z also makes sure that A has not 
entered the system before. 

b) The following steps c)-d) are executed for each organization 0 , that A wants to 
interact with later: 

c) A chooses a random bitstring R 0 , which must contain as many bits as is needed as 
random input to the computation of A 's pseudonym with O . 

d) A and Z do a computation protocol, where Z signs a bitstring which is the concatena- 
tion of ID (A), ID(0) and R Q . A is unconditionally protected, and enters Rq as 
private input, while ID (A ) and ID {O ) are public. Z enters its secret key to the signa- 
ture scheme as private input. The resulting signature is given to A as private output. 

After this, A can compute his pseudonym with 0 , PS 0 (A ), based on R 0 . When he 
starts interacting with O , he must first convince 0 that he knows Z 's signature on a string 
which is the concatenation of ID (A), ID (0 ) and a string R 0 , and also that this string has 
the property that computing a pseudonym for ID (A ) based on R 0 leads to the pseudonym 
PS 0 (A ) that A wants to use with O . Using the general computation protocol with no 
private input from O , this can be done while revealing no information to O about ID (A ) 
oxR 0 . 

Lemma 1 

The above ensures that each individual is represented by at most 1 pseudonym with each 
organization, and that different individuals have different pseudonyms with the same 
organization. 

Proof. 

Assume the first statement is false, and let A be an individual with 2 pseudonyms 
representing him with O. Since PS Q (A) is uniquely determined by (ID (A ), R Q ), this 
means that A must have Z 's signature on at least two strings of the form 
(ID (A ), ID (0 ), R Q ), (ID (A ), ID (O ), R ' Q ). But since Z only signs 1 string starting with 
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ID (A ), ID (0 ), this contradicts Theorem 3. If the second statement is false, this trivially 
implies that some conspiracy of individuals has been able to find a claw for the pair of 
functions used in computing commitments. But this contradicts the basic assumption on 
claw freeness □ 

Now, for each type of credential, an instance of the BM scheme is chosen, and each 
organization authorized to issue that type is assumed to have a copy of the secret key. We 
then fix the rule that a given type of credential applies to A , if he possesses a signature in 
the corresponding signature scheme on ID (A ). 

0 can now issue a credential to A by doing a computation protocol with him, where 
0 signs ID (A ). During this protocol, it is checked by using the commitments in PS 0 (A ) 
that A really enters the correct ID -string as private input. 

A can show this credential to O ' by convincing 0 ' that he knows a signature in the 
relevant signature scheme on the string committed to in PS 0 (A ). As before, this can be 
done while revealing no information about ID (A ) or the signature. 

Theorem 4. 

The credential mechanism outlined above satisfies properties 1 ) and 2). 
Proof. 

1) : By correctness of the computation protocol, it is clear that A cannot show a credential, 
unless he really knows the relevant signature on ID (A ). By Lemma 1, he cannot pretend 
being someone else, and in that way fool an organization into computing this signature for 
him. Thus, if he did not receive the credential from an organization, the only possibility is 
that he computed the signature himself, which contradicts Theorem 3. 

2) : follows easily from the fact that all individuals are unconditionally protected in all 
interactions with organizations □ 

It might be argued that this system, like any system that identifies people by numbers, 
does not protect against different physical persons sharing the same digital identity (see 
for example [De]). A solution to this would of course have to deal with the problem of 
checking the physical identity of a person. Numerous solutions using tamper resistant dev- 
ices, photos, hand-written signatures and the like can be developed. Note that such a solu- 
tion does not have to violate condition 2) above (the untraceability), because the identity 
check does not have to be executed by the organizations themselves, but could be done e.g. 
by an independent tamper resistant device. 
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Abstract 

A notion of reduction among multi-party distributed computing problems is in- 
troduced and formally defined. Here the reduction from one multi-party distributed 
computing problem to another means, roughly speaking, a secure and verifiable proto- 
col for the first problem can be constructed solely from a secure and verifiable protocol 
of the second. A universal or complete multi-party distributed computing problem 
is defined to be one to which the whole class of multiparty problems is reducible. One 
is interested in finding a simple and natural multi-party problem which is universal. 
The distributed sum problem, of summing secret inputs from N parties, is shown to be 
such a universal problem. The reduction yields an efficient systematic method for the 
automatic generation of secure and verifiable protocols for all multi-party distributed 
computing problems. Incorporating the result from [14], it also yields an alternative 
proof to the completeness theorem of [9] that assiiming honest majority and the ex- 
istence of a trap-door function, for all multi-party problems, there is a secure and 
verifiable protocol. 
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1 Introduction 

We are concerned with the problem of computing correctly and securely in a distributed 
environment. This problem, raised by Goldreich, MiceJi, and Wigderson, was called the 
multi-party protocol problem [9]. Informally, the multi-party protocol problem can be stated 
as: given a description of a game with incomplete information of any number of players, 
produce a protocol for playing the game that leaks no partial information, provided that 
the majority of the players is honest. Such protocols are called secure and verifiable protocol 
they simultaneously guarantee correctness of the corresponding games and privacy of all 
players. 

In [9], Goldreich, Micali, and Wigderson presented the first solution to the multi- 
party protocol problem and derived a completeness theorem for the class of distributed 
protocol problems with honest majority, namely, if any trap-door function exists, then 
for all games, there is secure and verifiable protocol provided that more than half of the 
players are honest. Ben-Or, Goldwasser and Wigderson [2], Chaum, Crepeau and Damgdra 
[5] independently prove a completeness result for multi-party protocol problem in a non- 
cryptographic setting. 

In this paper, the relationship among the multi-party problems is studied. We formal- 
ize the notion of reduction among multi-party problems. Roughly speaking, a multi-party 
problem V is reducible to a set S of multi-party problems if a secure and verifiable proto- 
col for V can be constructed solely from the combination of secure and verifiable protocols 
for problems in S. From the notion of reduction, the concept of universal set and uni- 
versal multi-party problem is defined. A set S of multi-party problems is a universal 
set if all multi-party problems are reducible to S. In other words, secure and verifiable 
protocols for a universal set can be used as fundamental building block for constructing 
secure and verifiable protocols for all multi-party problems. A multi-party problem V is 
universal if itself forms a universal set. 

We are interested in finding a simple and natural multi-party problem that is universal 
for the whole class of multi-party problems. The distributed sum problem, of summing 
secret inputs from N parties, is shown to be such a universal problem. Besides being a 
universal problem, the distributed sum problem itself is also an important problem. For 
example, the well-known election problem [6,14,13,4,7,18] is the distributed sum problem 
when the secret inputs are restricted to 0 and 1. 

We prove that, assuming honest majority, designing a secure and verifiable protocol 
for any TV-player multi-party problem is reducible to the design of secure and verifiable 
problem for distributed sum problem over N players. This reduction demonstrates that 
the distributed sum problem is universal, and gives an efficient systematic method for 
the automatic generation of secure and verifiable protocol for all multi-party problems. 
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Incorporating the result from [14] 1 , it yields an alternative proof to the completeness 
theorem of Goldreich, Micali, and Wigderson [9]. 

2 Preliminary 

The computation model used for multi-party problems is a complete synchronous network 
of N nodes. Each node (node i) has a probabilistic Turing machine (Hi), called a user, 
with its own private read-only input tape, write-only output tape, and work tape. There 
is a common read-only tape, a common write-only tape, and a global clock shared by all 
machines. 

Various models can be defined according to the different means of communication 
among the machines [9,2,6]. 

• Private Channel Model: There are iv ^~ 1 ^ perfectly secure private communication 
tapes. The i tK machine communicates with the j tK machine, and vice verse, via tape 
i <-* j. No other machines can read the message on the i <-+ j tape. 

• Common Tape Model: There is only one communication tape. Each machine can 
read the message from the tape and write message on the tape. 

• Bulletin Board Model: There are N publicly readable tape, BB X , BB^, called 
Bulletin Boards, where BBi is writable only by the i th machine. 

Throughout this paper, the bulletin board model is assumed. Note that using digital 
signatures [16] to authenticate the sender, protocols designed on the bulletin board model 
can be implemented on the common tape model. Also, using Byzantine agreement [15], 
all machines can agree on what message machine i has sent to machine j at certain time. 
Hence, protocols designed on the bulletin board model can be implemented on the private 
channel model. 

A distributed protocol VP consists of a set of probabilistic algorithms {Ai : 1 < i < 
N} to be run on a distributed system of N parties U\, . . . . The algorithm A runs 
on Ui. The initial content of the shared input tape is the common input, and the initial 
content of the private input tape of Ui is the secret input toUi. The common input typically 
consists of the agreed upon verifiability and security parameters denoted by V/v and Kn 
respectively. The final content on the shared output tape is the public output of V, and 
the secret outputs of Ui appear on the private output tape oiUi. 

J It was proven in [14] that there is an optimally secure and verifiable protocol for the distributed sum 
problem. 
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Let VP = {Ai : 1 < t < JV} be a distributed protocol of iV parties U\,... ,Un- A 
party Ui is honest if it runs its preassigned algorithm Ai faithfully and only runs Ai, and 
is called dishonest otherwise. We allow the possibility of sharing information among the 
dishonest parties. A dishonest party can be either passive or malicious in the sense of [9]. 
We also allow each party to become dishonest in a dynamic fashion during the execution 
of the protocol. 

A conspiracy C among s dishonest parties is a set of probabilistic polynomial time 
algorithms {& : 1 < i < N} and a dishonest parties U a , where £• = Ai if Hi is honest. The 
common input of C and the secret input to the honest Ui are the same as those in W. 
The output of C is denned to be the private output of U a , and is either one or zero. 

For the ease of understanding, we restrict our consideration to a special subclass of 
multi-party problems, distributed transformation problem. The result achieved for this 
subclass can be generalized to the general multi-party problems [9,2,5]. 

The iV-party distributed transformation problem is stated as: given a 2JV-ary formula 2 
CT{x\, . . . , xjv,j/i, • • • ,Vn)> design a protocol V such that on each tuple of secret inputs 
(si, . . . ,5jv) t the application of the protocol outputs a tuple of secret outputs (zi, . . . ,-Zjv), 
such that: 

• Verifiable Correctness: CJ-{&\, . . . ,sn, z\, . . . , z$) — 1. 

• Privacy: No subset of less than \N/2] parties can extract any more information 
about Si's and Zi's from execution of V than it is already contained in the formula 
CT{si, . . . , sjvj Z\, , zn) — 1 a nd their shared secret inputs. 

where a tuple of secret inputs . . . ,s?{) means that s; is the secret input of Ui, and 
a tuple of secret outputs (z 1? . . . , zj^) means that is the secret output of Ui. 

The distributed transformation problem can be interpreted as: at the beginning of 
the execution, the i th party owns a private database VBi, the application of the protocol 
transforms the i th database securely into a new database VB^ which satisfies the predefined 
properties without revealing any more information about VBiS and VB'^s. 

The Turing machine game, defined by Goldreich, Micali, and Wigderson [9], is a 
subclass of the distributed transformation problem defined above. Informally, the Turing 
machine game can be described as: N parties, respectively owning secret inputs si, . . . , Sjv, 
are to correctly run a given Turing machine M. on s\,...,sn while keeping the maximum 
possible privacy of all parties. Clearly, the Turing machine game with Turing machine M. 

3 It is usually assumed that the formula of a distributed transformation problem is random polynomial 
time computable in the sense that we can construct a random algorithm Ac? which on each tuple of 
inputs (ii,... | 3{f) outputs a tuple of output, in random polynomial time, a tuple (z^, . . . ,zs) such that 
C2 r (si,...,iAr,Zi,...,z N ) = 1. 
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is a distributed transformation problem with formula CTm:- 

CFm{xi,.. . ,z N ,yi,. . . ,y N ) - 1 if 3/1 = y 2 - ... = yjv = M(xi,... ,x N ) 

A distributed protocol VP is a s-secure protocol for a distributed transformation 
problem with formula CJ-, if the following condition is satisfied. 

For all conspiracy C among a set of s dishonest users, for all pairs of 2iV-ary tuples 
(zi,...,x N ,Ui,...,utt) and (y x , ... ,yrf,vi, ... ,v N ) with 

CT{x-i.,. ..,x N ,Ui,.. . ,u N ) = CJ 7 (yi,...,y N ,v 1 ,... > v N ) = 1 

and Xi — yi if Ui is dishonest, for all A; £ Af, 

prob{C(xi,.. .,x N> u u . . . ,u N ) - I}-prob{C(yi,. . .,vn,Vi,.. .,v N ) = l}< ^ + z + K ^ k 

where 2 is the input size which equals to the maximum binary-length of Xi and y;. 

Informally, the above condition says that (xi, . . . ,zjv) and (yi, . . . are polynomial 
time indistinguishable to the dishonest users. 

A distributed protocol VP is 5-verifiable for a distributed transformation problem 
with formula if for all inputs S — (si, . . . ,s;v)> the probability that CJF(5, Z) = 1, 
where Z = (zi, . . . ,zjv) is the output of VP on s 1} . . . is at least 1 — ^ N+ ^. Vlf ^k ^ or ^ 
k £ JV, provided no more than s users are dishonest. 

A distributed protocol VP is an optimally secure and verifiable protocol for a 
distributed transformation problem iff it is ^-secure and s-verifiable for all 1 < s < N. 



3 Complete Sets and Universal Problems 

Throughout the development of computational complexity theory, an important notion 
has been the reduction among a class CT of problems. Informally, reduction from one 
problem to another shows that the first problem is essentially no harder than the second. 
The notion of reduction introduces a partial order among problems in CT. A problem V is 
complete or universal for the whole class of problems if all problems in CT are reducible 
to V ■ More generally, a subset S C CT is a complete set if all problems in CT are reducible 
to S. 

The completeness of a problem T is often used as a strong evidence that T is in- 
tractable up to certain computation power. For example, if a problem T is complete for 
the class of recursive functions (NP, P) under recursive reduction (polynomial-time re- 
duction, iVC-reduction, respectively), then T is undecidable (unlikely in P, unlike in NC, 
respectively). However, in the case where T admits an efficient solution, a constructive 
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proof of completeness provides a systematic method for solving all problems in CP. In this 
case, we also call V a universal problem for the class CP. 

Informally, the reduction from a multi-party problem V to another multi-party prob- 
lem V means that V can be solved by alternating applications of local computation by 
individual parties, and a secure and verifiable protocol for V. More specifically, each dis- 
tributed protocol can be decomposed into a sequence of local transformation where each 
user computes locally and securely; and distributed transformation where all users work 
together to transform a tuple of secret inputs to a tuple of secret outputs satisfying some 
predefined conditions. Let Program(S) be the set of all distributed programs consisting of 
alternating local transformation and distributed transformation protocols from 5. Infor- 
mally, a set of protocols is complete iff for all multi-party problems P, there is a distributed 
program from Program(S) that is secure and verifiable for P. A multi-party problem Q 
is universal iff each secure and verifiable protocol for Q by itself forms a complete set. 

3.1 Local Transformation vs Distributed Transformation 

The class of distributed transformation problem can be partitioned into two subclasses 
according to the input-output dependency. Let us first see some examples: 

Problem 3.1 There are N users. User i has a secret value s^. Useri wants to compute the 
largest perfect square which is smaller than s;. In other words, problem 3.1 is a distributed 
transformation problem with formula CF: 

CjF(z 1 ,...,E A r,t/i,...,2/ A r) = liff yi = max{z 2 | z 2 < z<} 



Problem 3.2 There are N users. User i has a secret value s;. User i wants to compute 

In problem 3.1, each user can locally compute its secret output from its secret input; 
while in problem 3.2, the secret output of each user depends on the secret inputs of all 
other users. Hence, each user, by itself, can not obtain the correct secret output. In order 
to perform the computation, each user has to communicate with other users. 

In general, a distributed transformation problem V with formula CF is locally com- 
putable if there are N functions /:,..., /at 6 UVU, such that for all 

CF(si,...,stf,zi,...,z N ) = 1 Zi = fi{si), 

where UVU stands for the class of probabilistic polynomial time computable unary func- 
tions. 
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The computation of a locally computable distributed transformation problem is called 
local transformation, and the computation of a distributed transformation problem which 
involves inter-user communication is called a distributed transformation. 

Using the probabilistic public-key cryptosystem of Goldwasser and Micali [11] and 
two party zero knowledge proof protocols from [12,10,3], or using the verifiable secret 
sharing (VSS) [2,5,17], each party can prove to all other parties the correctness of its local 
computation without leaking any information about its secrets. Such a scheme can be 
found in [1,2,5,14]. Thus, it is assumed that the local transformation of each party in all 
distributed protocols is performed securely with verifiable correctness. 

3.2 Reducibility 

Two operators are defined on the set of distributed protocols to formalize the concept of 
reduction from one multi-party problem to another. 

Definition 3.1 (Composition) Let VP\ and Wj be two N-party distributed protocols, 
and F = (A,...,/jv) € KVU N . The F -composition ofW^ and VV 2 forms a new N- 
party distributed protocol, denoted by VPi Qf Wi, which is composed of the following 
three steps: (1) apply TXP\ on a tuple of secret input (si, . . . ,3jv) t° compute a tuple of 

secret outputs (ttj, >w.zv)> (2) each party Ui performs a local transformation to compute 

fi(ui); (S) apply Wz on (/i(wi), fN{ u N)) t° compute the final tuple of secret outputs 
(z u ...,z N ). 

Definition 3.2 (Combination) Let VP\,...,Wk &« k N-party distributed protocols, 
the combination of these k protocols defines a new N-party distributed protocol, denoted by 
W£_ 1 X>P;, which is specified as: on a tuple of secret inputs ((ji.i, , ,3fc,i), —, (^i,jv» •■•> ^fe,w))> 
for i = 1 to k, apply DVi on S'i to compute a tuple of secret outputs (z»,i«., z»,n)- Then the 
final tuple of secret output is ((^i,i, , , 2fc,i)> ■ ••> { z i,Ni ••-,Zk,it))- 

Let XTJVn denote the identity distributed protocol whose application on any tuple of 
secret inputs (s x , . . . , sx) outputs the tuple of secret outputs (si, . . . , s^). 

Definition 3.3 (Protocol Circuit) An N-party protocol circuit C is a labeled directed 
acyclic simple graph with a unique sink re in which each vertex v is labeled by an ordered 
pair {F V ,VT V ), where F v G HVU N and VV V is a N-party distributed protocol. The value 
of each vertex v in a protocol circuit is a N-party distributed protocol which is defined 
inductively: 



• If v is a leaf vertex with label (F V ,VP V ), then value(v) = W v Of. TWn- 
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• If v is an internal vertex, labeled by (F V ,W V ) and with children u>i Wt,, then: 

k 

value{v) - W v Of. (1+1 value{wi)) 

The distributed protocol defined a protocol circuit C, denoted by protocol{C), is value(rc)- 
We can evaluate a protocol circuit C on a tuple of secret inputs {si, . . . , sjy) according 
to the definition of composition and combination. Note that the evaluation is composed of 
an alternating applications of local transformation within each party and some distributed 
protocols associated with the vertices in C. This yields a general paradigm for solving 
multi-party problems. 

Definition 3.4 (Reduction) A set S of multi-party problems is reducible to another 
set T of multi-party problems iff for all V £ S, there exist protocol circuit C, with protocol 
labels only from the set of protocols which are secure and verifiable for problems in S, that 
defines a secure and verifiable protocol for V . 

Let F — {fiy... ,/at) be an iV-tuple of random polynomial computable unary func- 
tions. Let W\,. ■ ■ ,T¥Pk be k 2iV-ary formulas. The F -composition of CJ-i and C!p2, 
denoted by CFtOpCFi, is defined as: for all iV-tuples, X = (xi, . . . ,x#), Y = (yi, . . . ,Vn), 

CF 2 Q F CT,{X, Y) = 1, iff 3U = (u lt ... ,u N ),CT,{X,F{U)) = CF 2 {F(U),Y) = 1 (1) 

Where F{U) = (/i(«i), ...,/*(«*)). 

The combination of CT\, . . . ,C!Fk, denoted by wf^CF,-, is defined as 1 < i < k, 1 < 
j < N, for all Si = (3 t -,i,...,3 iiW -), Zi = (z iil? z iiN ), Uj = (ijj, , , s k j), Vj = {z t j, , , z k j), 

^CFiUUuV!),...,^^)} = 1 iff nW,^) = 1 (2) 

i=l 

If for all vertex v is a protocol circuit, VP V is a distributed protocol for a dis- 
tributed transformation problem with formula CT V , then C defines a formula, denoted 
by formula(C), by Relation (1), and Relation (2) in a natural way. We can prove the 
following lemma. 

Lemma 3.1 If for allv, TfV v is a s-verifiable distributed protocol for the distributed trans- 
formation problem with formula CT V , then protocol{C) is a s-verifiable distributed protocol 
for the distributed transformation problem with formula formula{C). 
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4 The Distributed Sum Problem 

Formally, the distributed sum problem is a distributed transformation problem with for- 
mula 

N 

CT(zi, . . . ,x N ,yx,. .. ,y N ) = 1 iff y 1 = y 1 = ... = y N = J^Xi. 

i=l 

where the problem domain is a subset of Z, the set of integers. It will be shown in next 
section that the distributed sum problem is universal over all multi-party problems. 

An optimally secure and verifiable protocol is presented in [14] based on the efficient 
construction of perfectly secure patterns. 

Lemma 4.1 ([14]) There is an optimally secure and verifiable, protocol for the distributed 
sum problem. 

Other secure and verifiable protocols for the distributed sum problem are also implied 
in [2,5,9,8]. 

An important variance of the distributed sum problem, denoted by VST? , is the one 
that after the computation, only the i th party correctly computes the sum, and all other 
parties can extract no information about the sum. In other words, TDSV^ is a distributed 
transformation problem with formula: 

N 

CT{x x ,...,x N ,y l ,...,y N ) - 1 iff y { - ]T X; 

j=i 

Lemma 4.2 the distributed sum problem and {VSVf | 1 < i < N} are reducible between 
each other. 

[PROOF] It can be easily shown that the distributed sum problem is reducible to {VSVf | 
1 < i < N}. We now show that {VST? | 1 < i < N} is reducible to the distributed sum 
problem T>SV N . Let (si, . . . ,sm) be a tuple of secret inputs, let s = s;, the application 
of VSVf on [si, . . . , Sjv) can be done by: 

1. The i th party ZU randomly chooses u>i, u>2 £ Z, such that uii + w-i = 

2. Apply a protocol for the distributed sum problem on ..,3x) to produce 
{y,...,y), where y = w x - s { + Y,f=i sj = s - w 2 . 

3. Hi locally compute w% ■+■ y to get s. 

Note that y contains no information about s, therefore the above protocol is ^-secure, 
if the protocol for the distributed sum problem is s-secure. O 
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5 Universality of the Distributed Sum Problem 

A natural universal problem for multi-party distributed computation is sought. And the 
simpler the universal problem, the better. In this section, the very simple the distributed 
sum problem is proven to be a universal multi-party problem. Moreover, the proof is 
constructive. 

Theorem 5.1 (Main Theorem) The distributed sum problem is a universal multi-party 
problem. 

Corollary 5.1 For all multi-party problem, there is a secure and verifiable protocol as- 
suming honest majority. 

5.1 Distributed Boolean Circuit Problem 

The proof of Theorem 5.1 consists of a sequence of reductions. The first step is to reduce 
the general distributed transformation problem to a special distributed transformation 
problem, the distributed boolean circuit problem. 

The distributed boolean, circuit problem is proposed by the following observation. 

For each formula CJ-[x\, . . . , xn, Yi, ■ ■ ■ ,Yn), we can construct a probabilistic algo- 
rithm Act which on each tuple of inputs (si,...,ajv) outputs a tuple (zi, . . . ,zn) such 
that CJ~(si, . . . ,Sff,z-i, — ,2jv) = 1. In turn, we can construct a Boolean circuit 3 , Cct to 
implement Act such that the size of Ccf is polynomially bounded by the time complexity 
of Act- In the context of secure distributed computation, ^/"-parties, each holding some 
secret inputs to Cct, want to evaluate Cct to correctly compute their corresponding secret 
output, i.e. U{ holding secret input s; is to securely and correctly compute the value of z;. 
In circuit Ccf, &i corresponds to a subset of input Boolean variables, and z, to a subset of 
output Boolean variables. The distributed boolean circuit problem is defined formally as: 

Definition 5.1 (Distributed Boolean circuit problem) Given a Boolean circuit C of 
m input variables xi, . . . ,x m , and n output variables &i,...,6 n . Each party Hi owns a 
nonempty subset of input variables Xi such that Uj^Xj = {zi, . . . ,x m } and Xi fl Xj = 4>, 
for alll < i ^ j < N. The distributed Boolean circuit problem with circuit C is a distributed 
transformation problem with formula CJ~c: 

cr c {x u ...,x N ,Y 1 ,...,Y N ) = /\{r i {x lt ...,x N ) = (£ kj) mod 2} 

3 A Boolean circuit is a labeled directed acyclic graph in which the leaves are labeled by distinct Boolean 
variables, and the internal nodes are. labeled from the set of Boolean operators. Each node v in the Boolean 
circuit is associated with a Boolean formula which is denned in a natural way. 
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Where Ti is the boolean formula defined by the Boolean circuit C on output variable Zi, 
Y i = {2/i,i>->2A,«}- 

Lemma 5.1 The distributed transformation problem is reducible to the distributed Boolean 
circuit problem and the distributed sum problem. 

[PROOF] Given a distributed transformation problem with formula OF, first we construct 
a Boolean circuit Ccr of output Boolean variables b\, . . . ,b n , then we apply the secure and 
verifiable protocol for the distributed Boolean circuit problem on Ccr- Suppose bj is a 
bit in the secret output of Ui, we apply the secure and verifiable protocol for "DSVi on 
—iVnj) to transform bj securely and correctly toZ£. The verifiability and the security 
of the above reduction can be easily verified. □ 

5.2 Two Primitives for the Distributed Boolean Circuit Problem 

We will construct a distributed protocol which evaluates a Boolean circuit sequentially 
gate after gate in such a way that after evaluating one gate b, each party Ui obtains a 
fraction of information yi about the value of b defined on the secret inputs Si, . . ■ , Spr, and 
iLiLi yi mod 2 = value(b). Moreover, no proper subset less than N/2 parties can extract 
any information about value{b) and S;'s more than those contained in their secret inputs. 
Note that A, ©2 are complete in zero-one Boolean Algebra in the sense that all boolean 
operators can be respented by those two operators. Therefore, for all Boolean circuits C 
of size n, there is an equivalent Boolean circuit C built up by © 2 and A only, whose size 
is polynomial in n, computes the same function as C does. This reduces the distributed 
Boolean circuit problem to the following set of problems. 

• Distributed ©2-problem: a distributed transformation problem with formula: 

N N N 

C^{{xi,yi),... ,(x N ,yM),zi,- ■■ ,zn) - 1 iff^Zi mod 2 = (X^i mod 2) © 2 mod 2 ) 

«=1 i=l t=l 

• Distributed A-problem: a distributed transformation problem with formula: 

N N N 

CJ : ((x 1 ,yi),...,(x N ,y N ),z 1 ,. . . ,z N ) = 1 iff^Zi mod 2 = (^i; mod 2) A (^Vi mod 2 ) 

i=l i=l i=l 

We can prove the following lemma: 

Lemma 5.2 The distributed Boolean circuit problem is reducible to the distributed ©2- 
problem, distributed A-problem, and the distributed sum problem. 
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Motivated by finding reduction from the distributed A-problem and the distributed 
©2-problem to the distributed sum problem, we introduce the following set of equivalent 
distributed transformation problems. 

Let Z[x] denote the set of polynomials in i whose coefficients are in Z. Let 
stand for the set of integral polynomials of degree N. We define a function VATUTy : 
Z[x) -+ {0,1} as: for all a[x] = Ej^a^ € Z[x], 

N 

VAHiry(a[x]) = ][>• mod 2 
t=l 

• ©2-simulation-Problem is a distributed transformation problem with formula: 

cf(f,#) = i iff VARxry (l>M) = VAnrry (E/<m) vARiry (£>[*]) (3) 

• A-simulation-problem w a distributed transformation problem with formula: 

CT{F,H) = 1 iff VATLTTy (j^h^xjj = VARlTy (E/.n) a VATUTy (4) 

Wttere J" = ((/i[iUW) (/jfWJffW)), and G ^M" 

We observe that VARTTy defines a homomorphism from to 7% — {0, 1, ©2, A}. 
Therefore, the solution to the above two problems can be applied for N parties to perform 
secure A and ©2 operations. This reduces the distributed ©2-problem and the distributed 
A-problem to the ©2-simulation problem and the A-simulation problem. 
Observer that, for all i : 1 < i < N, letting hi[x] = fi[x] + gi[x], 

VARiry (e M*]) = TARiry ^ /<[*] j © 2 VARiry 

Hence, the ©2-simulation problem can be solved solely by local computation. Consequently, 
we have: 

Lemma 5.3 The distributed Boolean circuit problem, hence the distributed transformation 
problem, is reducible to the A-simulation problem, and the distributed sum problem. 



5.3 Reducing the A- Simulation Problem to the Distributed Sum 
Problem 

In this section, we complete the proof of the main theorem by showing that the A-simulation 
problem is reducible to the distributed sum problem. 

Let f{x\ = Zf=i fj[*h SW = ££=1 »nd h[x] = f[x]g[x\. Then h[x] is a polynomial 
of degree no more than 2N , and 

TAniTy{h[x}) = vAniry{f[x}) a vARiry{g[x\) 
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Lemma 5.4 Given a secure and verifiable protocol for the distributed sum problem, there 
is a secure and verifiable protocol to transform the tuple of secret inputs 

((/i . 9i), ■ • • , (/>, 5i)> • ■ ' » (/jv,3jv)) 
to the tuple of secret outputs 

({h[2),h[2N+2}, h[4N+2}), • ■ • , (h[2i] t h[2N+2i], h[iN+2}), • • - , {h[2N],h[AN],h[AN +2})). 
[PROOF] Protocol 1: 

1. for all i, locally, Ui computes /;[2j] and g { [2j], 1 < j < 2N + 1 

2. for i = 1 to N, apply a protocol VST? on tuples of secret inputs (/i[2i], • • • , frr[2i]) 
and {h[2N + 2i\, ■ ■ ■ ,f N [2N + 2t]), { 9l [2i}, ■ ■ -,g N [2i}) and ( fll [2JV +2i], • ■ -,g N [2N + 
2i\) to transfer f[2i] = £f =1 /;[2i], /[2iV + 2i] = E ; =i /,-[2tf + 2i], 5 [2i] = £f =1 
s[2jV + 2i] = 5j[2iV + 2i] securely and correctly to Ui. 

3. apply a protocol for the distributed sum problem on the tuple of secret inputs 
(A[4iV + 2] , • • • , fjf[AN + 2]) and ( 9l [AN + 2], • • • , g N [4N + 2]) to transfer /[4JV + 2] = 
EiLi / 3 [4iV + 2], and 5 [4iV + 2] = £f =1 Sj[4iV + 2] securely and correctly to all parties. 

4. Each party Ui computes h[2i], h[2N + 2i] and h[4N + 2] locally. □ 
By interpolation law, we have: 

2N+l n-a.fi -H\ 1 2N + 1 

- £ s»^> -i £ 

Where 4 = ,-, 1 — f^tt, and for all k : 1 < ife < 2N + 1, 

H k {x] = fl (z - 2j) ]~[ (2a - 2b)h[2k) 

i^k l<o<4<JiV+l,o?t*,i^* 

Let F fc [x] = Ej=o ^.i^', let c,- = E*=i +1 ^*J. Then <f 3 - = Cj /A E Z. 
The following procedure forms a reduction for the A- simulation-problem to {VSVi | 
1 < i < N} and the distributed sum problem. 
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Reduction Protocol: 

1. apply Protocol 1. 

2. By interpolation law, each party computes polynomial ili[x], H^+i[x] and H2N+i[ x ] 
locally. Then for all j : 0 < j < 2N, computes c,j = H^j + Hn+ij + B2N+1J, and 
all other parties Hi computes c,-j = Hij + ifjv+jj locally. 

3. for i = 1 to iV, apply a protocol for VSVf on tuples of secret inputs (ci i i,...,cjv,i) 
and (ci iN+i , cjv iJV+ i) to transfer c; = H k ,i, and c N+i - Hk,N+i, securely 
and correctly to 

4. apply a protocol for the distributed sum problem on the tuple of secret inputs 
(c 10 , ...,ci, 0 ) to transfer c 0 = Yil^i 1 Hk,a, securely and correctly all parties. 

5. Local Transformation: each party tli computes a\ = dn+i = and a\> = ^ 
locally. Then for all j : 1 < j < N, U\ randomly generate a polynomial hifzj £ Z[x] N 
locally such that VARlTyihi) = (d x + d N+1 + do) mod 2, and all other parties Hi 
randomly generate a polynomial hi[x] £ locally such that VATHTy(hi) = 
(di + djy+i) mod 2. 

By interpolation law, we have: 

VARiry ^£>;[*]j = VAiUTy(h[x}) = vAKXTy{f[x]) a tm^ztd^M) 

The verifiability of the above reduction can be easily verified. We now show that the 
above reduction is secure under the assumption of honest majority. 

We first make an observation based on the classical information theory. 

Lemma 5.5 (Composition Lemma) 7/oi,...,ajt be k (K > 1) random numbers in Z, 
then for all X C {ai, . . . , a^}, X implies no information about S* =1 a,-. 

It follows from the Composition Lemma (Lemma 5.5), any proper subset of {f\ , . . . , /y} 
or {<7i, . . . ,Sjv} contains no information about VATUTy(f[x}) and VAHlTy{g[x]). So, 
after running the protocol, the only additional information obtained by the i th party is 
the values of /[2i],/[2iV + 2i]J[4N + 2], g[2i},g[2N + 2i],g[AN + 2], hence h[2i],h[2N + 
2i],h[AN + 2). It follows that for any subset S C {l,...,iV}, the information on the parity 
of /, g and h that can be obtained by 5 is all that is implied by the interpolated values 
held by the party in S. Treating the coefficients of / (g, h) as variables, each value f[2j] 
(g[2j\, h[2j] respectively) determines a linear equation in the coefficients of / (5, h respec- 
tively). So the values held by the users in S determines a linear system L. Consequently, 
the security of our scheme relies on the parity of the solutions in the solution space of L. 
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The following Lemma can be proved via linear algebraic analysis (the proof will appear 
in the full paper). 

Lemma 5.6 For all p[x] = EiloPi^ £ 2[x], for all X C {2,4,6...,4iV + 2}, if \ X \< N, 
then: 

1 SOLUp 
| SOLUx 

Where for j 6 {0,1} 



= 1 



N N 

SOLUj = {(c 0 , Ci, . . . , cn) I ^2 Ci — jmod.2 & Yz G ■X',p[a;] = y^c^x'} 

t=0 i=0 



Therefore, it follows from the above lemmas that any subset of ,s dishonest users can 
extract no more information about V ATllTy{fi)[x], VAniTy(gi)[x}, VAKXTy(hi[x}), 
VA1llTy(f[x)) ) 'PA'R.JTy(g[x}), and VAKXTy(h{x}) provided all applications of the 
protocols for the distributed sum problem and its variance are s-secure, and s < [y] . 

Lemma 5.7 The A -simulation problem is reducible to the distributed sum problem. 

Remark 5.1 It is assumed in Lemma 5.6 that the domain of the distributed sum problem 
is Z, the set of integers. This assumption is not realistic in the sense that there is no 
bound on the size of integers. The following are some results when the size of the integers 
is bounded. 



Let Sjv be a security parameter agreed upon all users, let dpi = 2 Sn and = 
{-d N ,...,d N }, and for all i : TV - 1 < i < 0, ^ = Q(N 2 a\ +1 ) and D { = {-d { , a\}. The 
following Lemma can be proved via linear algebraic analysis. 

Lemma 5.8 For a random polynomial p[x] = YliLoP' xl 6 Z[x] such that pi G Z>;, for all 
X C {2,4,6...,4JV + 2}, if\X\< N, then with probability at least 1 - poly(N)(\) SN : 



| SOLUi | r av ' v 2 

Where poly(N) mean a polynomial in N . 

Assuming the coefficients of the secret polynomials / and g are bounded as in the above 
lemma, it follows from the above lemma that, with very high probability, no subset of s 
dishonest users can extract any more information about V ATlXTy(f[x]),VATZXTy{g[x}) 
and VAKXTy(h[x}), where s < [vl- 
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Remark 5.2 Note that, if s, the number of dishonest users, is greater than they can 
compute f[x], g[x] by interpolation law, thus VATLXTy(h[x}). Hence, our scheme is not 
secure against the dishonest majority. 

Acknowledgement: We would like to thank Len Adleman and Gary Miller for helpful 
discussion. 
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1 Introduction 

In recent years the detection of computer viruses has become common place. It 
appears that for the most part these viruses have been 'benign' or only mildly 
destructive. However, whether or not computer viruses have the potential to 
cause major and prolonged disruptions of computing environments is an open 
question. 

Such basic questions as: 

1. How hard is it to detect programs infected by computer viruses? 

2. Can infected programs be 'disinfected' ? 

3. What forms of protection exist? 

4. How destructive can computer viruses be? 

have been at most partially addressed [Col][Co2] 1 . Indeed a generally accepted 
definition of computer virus has yet to emerge. 

For these reasons, a rigorous study of computer viruses seems appropriate. 
•Research supported by NSF through grant CCR 8519296 

x It appears that F. Cohen is the first researcher in an academic setting to consider the 
practical and theoretical aspects of computer viruses. The formalism presented here differs 
considerably from that explored by Cohen [Col][Co2]. 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 354-374, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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2 Basic Definitions 

For the purpose of motivating the definitions which follow, consider this (fabri- 
cated) 'case study': 

A text editor becomes infected with a computer virus. Each time the text editor 
is used, it performs the text editing tasks as it did prior to infection, but it also 
searches the files for a program and infects it. When run, each of these newly 
infected programs performs its 'intended' tasks as before, but also searches the 
files for a program and infects it. This process continues. As these infected 
programs pass between systems, as when they are sold, or given to others, new 
opportunities for spreading the virus are created. Finally, after Jan. 1, 1990, 
the infected programs cease acting as before. Now, each time such a program is 
run, it deletes all files. 

Such a computer virus can easily be created using a program scheme (in an ad 
hoc language) similar to that found in [Col]: 

{main:— 

call injure; 

call submain; 

call infect; 

} 

{injure := 

if condition then whatever damage is to be done and halt 

} 

{infect := 

if condition then infect files 

} 



where for the 'case study virus': 

{main:= 

call injure; 
call submain; 
call infect; 
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} 

{injure:= 

if date > Jan. 1, 1990 then 
while files ^ 0: 

file = get-random-file; 
delete file; 
halt; 

} 

{infect:= 

if true then 

file = get-random-executable-file; 
rename main routine submain; 
prepend self to file; 

} 



By modifying the scheme above, a wide variety of viruses can be created. Even 
'helpful' viruses may be created. For example the following minor variant of 
Cohen's [Col] compression virus which saves storage space: 

{main:= 

call injure; 

decompress compressed part of program; 
call submain; 
call infect; 

} 

{injure:= 

if false then halt 

} 

{infect := 

if executable-files ^ 0 then 
file = get-random-executable-file; 
rename main routine submain; 
compress file; 
prepend self to file; 

} 
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With the 'case study virus' and all of those which could be created by the scheme 
above, it appears that the following properties are relevant: 

1. For every program, there is an 'infected' form of that program. That is, 
it is possible to think of the virus as a map from programs to ('infected') 
programs. 

2. Each infected program on each input (where here by input is meant all 
'accessible' information: e.g. the user's input, the system's clock, files 
containing data or programs) makes one of three choices: 

Injure: 

Ignore the 'intended' task and compute some other function. Note 
that in the case study, which inputs result in injury (i.e. those where 
the system clock indicates that the date is Jan. 1, 1990 or later), 
and what kind of injury occurs (file deletion) are the same whether 
the infected program is a text editor or a compiler or something else. 
Thus which inputs result in injury and what form the injury takes 
is independent of which infected program is running and is actually 
dependent solely on the virus itself. 

Infect: 

Perform the 'intended' task and if it halts, infect programs. Notice in 
particular that the clock, the user /program communications and all 
other 'accessible' information other than programs, are handled just 
as they would have been had the uninfected version of the program 
been run. Further, notice that whether the infected program is a text 
editor or a compiler or something else, when it infects a program the 
resulting infected program is the same. Thus the infected form of 
a program is independent of which infected program produces the 
infection. 

Imitate: 

Neither injure nor infect. Perform the 'intended' task without mod- 
ification. This may be thought of as a special case of 'Infect', where 
the number of programs getting infected is zero. (In the case study, 
imitation only occurs when no programs are accessible for infection). 

A formal definition of computer virus is presented next. 



Notation 1 

1. S denotes the set of all finite sequences of natural numbers. 
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2. e denotes a computable infective function from S x S onto N with com- 
putable inverse. 

3. For all s,t £ S, < s,t> denotes e(s,t). 

4. For all partial f : N — > N, for all s,t £ S, f{s,t) denotes /(< *, t >). 

5. e' denotes a computable infective function from N x N onto N with com- 
putable inverse such that for all i,j £ N , e'(i, j) > i. 

6. For alli,j £ N, <i,j> denotes e'(i,j). 

7. For all partial f : N —* N , for all i,j £ JV, f(i, j) denotes /(< i,j >). 

8. For all partial f : N —* N , for all n £ N, write f(n) I iff f(n) is defined. 

9. For all partial f : N —* N , for alln £ N, write f(n) f iff f(n) is undefined. 

Definition 1 For all partial f,g:N-*N, for all s,t £ S, f(s, t) = g(s, i) iff 
either: 

1. f{s t t) T & g{s,t) T or 

2. /(*,<) j & g{s,t) I & f{s,t) = g{s,t). 

Definition 2 For all z, z' £ N , for allp,p', q = q\, q2, q t , q' — q{, q' 2 , 9^' G 
S, for all partial functions h : N — + N, < p,q >~< p', q' > iff: 

1. z — z' and 

2. p = p' and 

3. there exists an i, with 1 < 1 ; < z such that (ft ^ q\ and 

4. for i = 1, 2, z, either 

(a) q { = q[ or 

(b) h(qi) i and h(qi) = q[. 

Definition 3 For all partial f,g,h : N N, for all s,t £ S, f(s,t) ~ g(s,t) 
ifff{s,t)l & 
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Definition 4 For all partial f,g,h:N->Nfor all s,t € S, f(s, t) = g{s, t) iff 
/(*,<) = g(s,t) or f(s,t) ~ g{s,t). 



Definition 5 For all Godel numberings of the partial recursive functions 

a total recursive function v is a virus with respect to {<£»} iff for all d,p € S, 

either: 

1. Injure: 

(Vt, 3 € N){<j> v{i) (d,p) = fa {j) (d,p)} 

2. Infect or Imitate: 

{"ij £ N)[^{d,p)k 4> vU) {d,p)} 



Remark 1 The choice of symbols d, p above is intended to suggest the decom- 
position of all 'accessible ' information into 'data ' ( information not susceptible 
to infection) and 'programs ' (information susceptible to infection). 

3 Types of Viruses 

In this section the set of viruses is decomposed into the disjoint union of four 
principal types. The nature of so called 'Trojan horses' is considered. 



Definition 6 For all Godel numberings of the partial recursive functions 
for all viruses v with respect to {4>i}, for all i,j £ N: 

i is pathogenic with respect to v and j iff 



i = v(j) & 

(3d lP eS)fo(<*.P)£&(<i,p)] 
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i is contagious with respect to v and j iff 

i = v(j) & 

(3d,pes)fo(d,p) 

i is benignant with respect to v and j iff 
i = v(j) & 

i is not pathogenic with respect to j & 
i is not contagious with respect to j 

i is a Trojan horse with respect to v and j iff 

i - v{j) & 

i is pathogenic with respect to j & 
i is not contagious with respect to j 

i is a carrier with respect to v and j iff 

i = v(j) &: 

i is not pathogenic with respect to j & 
i is contagious with respect to j 

i is virulent with respect to v and j iff 

i = v(j) & 

i is pathogenic with respect to j & 
x is contagious with respect to j 

When there exists a unique j such that i = v(j) (e.g. when v is injective) then 
if i is pathogenic (contagious, benignant, a Trojan horse, a carrier, virulent) 
with respect to v and j, the reference to j will be dropped and i will be said to 
be pathogenic (contagious, benignant, a Trojan horse, a carrier, virulent) with 
respect to v. 

Hence, if with respect to some virus an infected program is benignant, then 
it computes the same function as its uninfected predecessor. If it is a Trojan 
horse then it is incapable of infecting other programs. It can only imitate or 
injure, and under the right conditions it will do the latter. If it is a carrier, it 
is incapable of causing injury but under the right conditions it will infect other 
programs. 
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Definition 7 For all Godel numberings of the partial recursive functions {<f>i}, 
for all viruses v with respect to {&}■' 

v is benign iff both: 

(Vj G N)[v(j) is not pathogenic with respect to v and j] 
(Vj G N)[v(j) is not contagious with respect to v and j] 

v is Epeian 2 iff both: 

(3j G N)[v(j) is pathogenic with respect to v and j] 
(Vj G N)[v(j) is not contagious with respect to v and j] 

v is disseminating iff both: 

(Vj G N)[v(j) is not pathogenic with respect to v and j] 
(3j € -^)[^(j) " contagious with respect to v and j] 

v is malicious iff both: 

(3j € N)[v (j) is pathogenic with respect to v and j] 
(3j 6 contagious with respect to v and j] 

The next theorem records some simple facts about types of viruses. 



Theorem 1 For all Godel numberings of the partial recursive functions {<&} 
for all viruses v with respect to {4>i}: 

1. (3j 6 N)[v (j) is benignant with respect to v and ;] 

2. v is benign iff 

(V; G N) 

[v(j) is benignant with respect to v and j] 

i 

Now shift your theme, and sing that wooden horse 
Epeios built, inspired by Athena - 
the ambuscade Odysseus filled with fighters 
and sent to take the inner town of troy 

The Odyssey of Homer, 8.492-495. 
translation by Robert Fitzgerald 
Doubleday & Co., NY, 1961 
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3. if v is Epeian then 

(Vj € N) 

[[v(j) is benignant with respect to v and j] or 
[v{j) is a Trojan horse with respect to v and j]] 

\. if v is disseminating then 

(Vj € N) 

[[•y(j) is benignant with respect to v and j] or 
[v(j) is a carrier with respect to v and j]] 

Proof 

Part 1 follows immediately from the recursion theorem. 
All other parts follow immediately from the definitions. 
□ 

Thus, all programs infected by a benign virus are benignant with respect to 
their uninfected predecessors. They function just as if they had never been 
infected. Viruses in this class appear to be the least threatening. This class 
includes many 'degenerate' viruses such as the identity function and 'padding' 
functions. 

Programs infected by an Epeian virus can only be benignant or Trojan horses 
with respect to their uninfected predecessors. Further the latter option must 
sometimes occur. Epeian viruses will not be able to spread themselves; however, 
an infected program may imitate the 'intended' task of its uninfected predecessor 
until some 'trigger' causes it to do damage. Among the Epeian viruses are the 
'degenerate' class of constant functions, which never imitate-or-infect but only 
injure. 

Programs infected by a disseminating viruses can only be benignant or car- 
riers with respect to their uninfected predecessors. Further the latter option 
must sometimes occur. Thus programs infected with such viruses are never 
pathogenic. However, it is worth noting that disseminating viruses may mod- 
ify the size of programs or their complexity characteristics, and by this means 
become detectable or cause harm (or benefit as in the case of the compression 
virus). In fact, size and complexity may be important properties when con- 
sidering viruses. An extension of the current theory to account for size and 
complexity seems appropriate (see § further research). 
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Malicious viruses can both spread and produce injuries. They appear to be the 
most threatening kind of virus. The 'case study virus' in §basic definitions is 
malicious. 



Remark 2 It may be appropriate to view contagiousness as a necessary prop- 
erty of computer viruses. With this perspective, it would be reasonable to define 
the set of viruses as the union of the set of disseminating viruses and the set 
malicious viruses, and to exclude benign and Epeian viruses altogether. 



The question of detecting viruses is addressed in the next theorem: 



Theorem 2 For all Godel numberings of the partial recursive functions {(pi}: 



Let T - {i\<f>i is a total}. It is well known (§13 and §14 [Roj) that T is LT 2 - 
complete. 

To establish that T <i V, let j £ V (for example let j be an index for the identity 
function) and consider the function g : N —+ N such that for all i, y € N: 



Then g is a partial recursive function. Let k be an index for g, and let / : N — + 
iV, be such that: 



4 Detecting The Set Of Viruses 



V = {i\4>i is a virus} is II2 — complete 



Proof 





otherwise 



(Vie N){f(i) = *(*,i,t)] 



where s is as in the s — m — n theorem [Ro] . 
Then / is a total recursive function and: 
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(Vi, y e N)[4> f{i) (y) = *. (M ,<)(y) = y) = g{i, y) = [ * j{y) ^therwist ^ 
It follows that: 

* € T ^ /(») € V 

Thus T < m V. It follows, as in §7.2 [Ro], that T <i V as desired. 

To establish that y 6 n 2 , consider the following formula for V which arises 
directly from the definition of virus: 

(Vj)(3M) [E(i,j,k,t)] 
& 

(V<<f,p>) [(Vit.fcx.iO 

[-H"(i, Ji. ki,h) => 

(V < e, g >,< 2 )[nF(i 1 ,<J ) p> ) <e,p>,< 2 )]] 
or 

(Vj'i.fci,*!, j 2) A: 2) i 2 ) 

[[#(*, Jl,fcl,*l) & ^(*,i3,*2,<2)]=> 

(3 < e,g >,t 3 ,<4) 
[JT(*i 1 <d > p>,<e,g >,t 3 ) & 
JT(fc 2 ,< d,p>,< e,q >,U)]] 
or 

(Vii,fci,<i, < e,g >,i 2 ) 

*x,<i) & H(j u <d,p>,<e,q>,t 2 )} => 
(3 < e',g' >,< 3 ,<4) 
[ff(* x ,< d,p>,< e'.g' >,< 8 ) & 
£(«,< e,q >,< e',g' >,t 4 )] 
& 

[E{i, ji, fci.ii) & ff(fci,< d,p>,< e,?>,i 2 )] => 
(3 < e',g' >,<3,M 

< d,p>,< e'.g' >,* 3 ) & 
Z(i,<e',g' >,<e,?>,< 4 )]]] 

Where J? is a 'step counting' predicate for {<j>i} such that: 
(Vi,i, fc) 

if &(j) = * then (3f)[ff(i, j,*,!)] 
if^(j)^fc then (Vt)hff(i, J,*,*)] 



And where L is a predicate for {<&} such that: 
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(Vi,<e,g >,<e',g' >,i) 

if < e, g >~< e', q' > then (3i)[L(i, < e, 5 >, < e', g' >, t)] 
if < e,g >^< e',g' > then (V<)[-ii(i, < e, g >, < e', g' >,<)] 

Since for all acceptable Godel numberings of the partial recursive functions {fa} 
it is easily seen that there exist recursive predicates H and L as above, it follows 

that v e n 2 . 

□ 

Thus detecting viruses is quite intractable, and it seems unlikely that protection 
systems predicated on virus detection will be successful. 

5 Isolation As A Protection Strategy 

As noted in [Col] isolating a computing environment from its surroundings is a 
powerful method of protecting it from viruses. For example, if no new programs 
can be introduced, no old programs can be updated, and no communication can 
occur, then it seems viruses are no threat. 

Unfortunatly, such isolation is unrealistic in many computing environments. 
The next theorems explore the possibility of protecting computing environments 
with less severe forms of isolation. 



Definition 8 For all Godel numberings of the partial recursive functions {fa}, 
for all viruses v with respect to {fa}, let: 

The infected set of v 

I, ={i£N\{3j eN)[i = v{j)]} 



Definition 9 For all Godel numberings of the partial recursive functions {4>i}, 
for all viruses v with respect to {<f>i}, v is absolutely isolable iff I v * s decidable. 

Clearly if a virus is absolutely isolable, then (at least in theory) it can be neu- 
tralized. Whenever a program becomes infected, it is detected and removed. 
The following is a simple fact about absolutely isolable viruses: 
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Theorem 3 For all Godel numberings of the partial recursive functions {fit}, 
for all viruses v with respect to {(pi} if for all i 6 N, v(i) > i then v is absolutely 
isolable. 

Proof trivial. 

□ 

Thus the case study virus, as implemented using the scheme in $basic defini- 
tions would be absolutely isolable. In fact, what little experience with viruses 
there is to date seems to suggest that in practice people who produce viruses 
begin by producing ones with the increasing property necessary for theorem 3 
to apply. Unfortunately, not all viruses have this property. For example, with 
any reasonable compression scheme, the compression virus of Ibasic definitions 
would not have this property. Nonetheless, the compression virus is absolutely 
isolable. Given a program with the proper syntax, it is in the infected set if and 
only if decompressing the compressed part results in a legitimate program. 

Is every virus absolutely isolable? 

Regretably, the next theorem shows that the answer is no. 



Theorem 4 For all Godel numberings of the partial recursive functions {<pi}, 
there exists a total recursive function v such that: 

1. v is a malicious virus with respect to {<pi} 

2. I v is Ylx-complete. 

Proof 

Let / be a total recursive function such that: 

Rg(f) = K = {i\<f>i(i) 1} 



Let ji : N -* N be a 1 - 



1 total recursive function such that for all i, x £ N: 
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Such a function, known as a padding function, exists by Proposition 3.4.5 [MY]. 
Let j 2 : N — ♦ N be such that: 

(Vi.s € iV)[y 2 (*, as) =ii (*,!/)] 

where y is the least natural number such that, for all i', x' 6 N with < i', x' ><< 
*,* >, J2(i',a;') < y). 

Then j2 is a monotonically increasing total recursive function and by (1), it 
follows that: 

{Vi,x£N)[<l> i = <t> Mi - ) ] (2) 

Let f : N -* N be such that for all i E N: 

y+1 ifi = j 2 (l,y) 



0 otherwise 



Then since j 2 is monotonically increasing, it follows that j' is a total recursive 
function. 

Consider the function b\ : N — ► JV such that for all d,p € S and i,k £ N: 

(0 if d is even 

< e, [<£*(«)] > if d is odd & <fc(d,p) =< e, [g] > and 4> k {q) I 

T if d is odd k<f>i[d,p)=<e, [q] > and 4> k {q) T 

^i(^iP) otherwise 

where for all q € N, [q] denotes the one element sequence in S consisting only 
of q. 

Then by standard arguments, &i is a total recursive function and: 

(Vi, x, k E N)[<f> bl ( itk ) = ( 3 ) 

Let 6 2 : N — ► iV be such that for all i, A: € iV: 

j ( :n.f j2(bi(*,*),/(0)) ifj'(i) = 0 

Then 62 is a total recursive function and it follows from (2) and (3) that: 
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(Vi, = &tf.*)]- (4) 

Applying the s-m-n theorem there exists a total recursive function g such that 
for all i, k G N: 

4> 9 {k)(i) = bi(i,k) 

By the recursion theorem, there exists an h 6 N such that for all i 6 N: 

<f>h{i) - h{hh) 

Let v = <f)h- Then v is a total recursive function since 62 is. 

Let d, p € S, then using that fact that v = <f>h is a total recursive function and 
applying (4) gives: 

4>v(i)(d,p) = <l>h,{i,h)(d t p) 
= <t>bi(i,h)(d,p) 

{0 if d is even 

< e, [tffc(g)] > if d is odd & <f>i{d,p) =< e, [g] > & <Mg) 1 

t if d is odd & p) =< e, [gj > & <£h(q) t 

<&(^>p) otherwise 

{0 if d is even 

< e, [»(g)] > if d is odd & &(cZ,p) =< e, [g] > 
<^«(^>p) otherwise 

1 of the theorem now follows directly from the definition of malicious virus. 

Since, for all total recursive functions m, Rg(m) is recursively enumerable, it 
follows that J„ = Rg(v) G Si- 

Let c : N — »• N be such that for all x G iV, c(z) = ;?2(&i(l, z). Since j 2 is 
1 — 1 so is c. Then x £ K implies the existence of a y £ N such that f(y) = x. 
Let i = J2(l,y), then: 

= h (h ( 1 , h) , cc ) = j 3 (h ( 1 , h) , f{y) ) = 6 2 (*, h) = v (t) G I„ 



On the other hand, assume x £ K and c{x) G I v . Then there exists an i G iV 
such that: 
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32(h(l,h),x) = c(x) = v(i) = b 2 (i,h) = 



3,{h{i,h), f{0)) if =0 
h{bi{l t h),f(y)) ifj'(i) = y+l 



Since is 1 — 1, it follows that x = f(y) 6 K. =>■■<=. Hence, <i J„ and 2 of 
the theorem holds. 



Thus, for the viruses described in the previous theorem, protection cannot be 
based upon deciding whether a particular program is infected or not. Paradox- 
ically, despite this, it is often possible to defend against such viruses. How such 
a defense could be mounted will be described below; however, a few definitions 
are in order first. 



Definition 10 For all Godel numberings of the partial recursive functions {(pi), 
for all viruses v with respect to {<f>i}, let: 

The germ set of v 



Thus the germs of a virus are functionally the same as infected programs, but 
are syntactically different. They can infect programs, but cannot result from 
infection. They may start 'epidemics', but are never propagated with them. 



Definition 11 For all Godel numberings of the partial recursive functions {<pi}, 
for all viruses v with respect to {<pi}, v is isolable within its germ set iff there 
exists an S C N such that: 

1. I v C S C G v . 

2. S is decidable. 

Notice that if a virus is isolable within its germ set by a decidable set 5, then not 
allowing programs in the set S to be written to storage or to be communicated 
will stop the virus from infecting. Further, the isolation of some uninfected 
germs by this process appears to be an added benefit. 



□ 



G v = {i\i e N & (3j € N)[<j>i = 4>v(j 



)]} 
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Returning now to the viruses described in the previous theorem: assume that 
the function 61 above had the property that for all i,k, b\(i, k) >< i,k >. 
The proof of the previous theorem could easily have been modified to assure 
this. Further, in Godel numberings derived in the usually fashion from natural 
programming languages, a i>i constructed in a straightforward manner would 
have this property. Consider the set 

S = {j2(h{i,h),y)\i,y&Z >0 } 



By the monotonically increasing property of j'2 and the property of 61 which is 
being assumed, S is decidable. On the other hand if a 6 I v then there exists i 
such that 

- = .(0 = fc) = ( AfJ-fj % «°» ?<}5 = 0 + 1 

w v ; I J2{h[l, h),f{y)) ifj'(») = y + l 

And it follows that a € S. On the other hand if a 6 S then there exist an y, i 
such that 

a = j2{h(i,h),y) 



By (2) and (4): 



And hence a S G v as desired. 

Thus viruses like the ones in theorem 4 demonstrate that decidability of I v is 
sufficient but not necessary for neutralization. Apparently, more work needs 
to be done before a clear idea of the value of isolation will emerge. Are all 
viruses isolable within their germ set? The answer is no (proof omitted). Are 
all disseminating viruses isolable within their germ set? The answer is not 
known. Are there notions of isolation which provide significant protection at a 
reasonable cost? 

6 Further Research 



The study of computer viruses is embryonic. Since so little is known, virtually 
any idea seems worth exploring. 



Listed below are a few avenues for further investigation. 
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1. Complexity theoretic and program size theoretic aspects of computer viruses. 

Introduce complexity theory and program size theory into the study of 
computer viruses. As noted earlier, even disseminating viruses may affect 
the complexity characteristics and size of infected programs and as a result 
become detectable or harmful. 

Complexity theory and program size considerations can be introduced at 
a abstract level (see for example [MY]) or a concrete level. 

For example, viruses in the 'teal world' would probably have the property 
that the running time of an infected program, at least while imitating or 
infecting, would be at most polynomial (linear) in the running time of its 
uninfected precursor. Does this class of 'polynomial (linear) viruses' pose a 
less serious threat? Do NP-completeness considerations, or cryptographic 
considerations come into play? 

2. Protection Mechanisms 

In this paper one form of protection mechanism, isolation, was briefly 
considered. In addition to considering isolation in greater depth, numerous 
other possibilities exist. For example: 

Quarinteening 

Is there value in taking a new program and running it in a safe envi- 
ronment for a while before introducing it into an environment were 
it could spread or do harm? For example, putting the new program 
on an isolated machine with dummy infectable programs and with a 
variety of settings of the system clock might evoke behavior indica- 
tive of infection. In particular would this be helpful with the class of 
polynomial viruses or linear viruses? 

Disinfecting 

Under what circumstances can an infected program be disinfected? 
Certainly when a virus is absolutely isolable there exists a procedure 
which when given an infected program will return a program which 
'infects to' the original one. How general is this phenomena? 

Certificates 

Can some programs be given a 'clean bill of health'? For example, 
if it is know that a certain virus is about, would it be possible for a 
vendor to 'prove' that his program was not in the germ set? Would 
it be possible to prove that the software was not in the germ set of a 
large class of viruses? 
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Operating System Modification 

Could modifications to the operating system provide some protection. 
For example, assume that the (secure) operating system required that 
the user 'initiate' all new programs by designating the files which the 
program is given the privilege to read and write. Then, for example, 
a simple program (e.g. a game) could be given only the privilege to 
read and write files it creates. If the program was uninfected it might 
perform satisfactorily under this constraint. If however the program 
was infected, this constraint might severely limit the damage due to 
the virus. (This example arose during joint work with K. Kompella). 

3. Other Models Of Computer Viruses. 

The notion of computer viruses presented here is not the only one possi- 
ble. It was selected because it seemed to be an adequate place to begin 
an investigation. More general, and more restrictive notions are possi- 
ble. Indeed it seems possible that no definition will conform to everyone's 
intuitions about 'computer viruses'. 

More 'machine dependent' approaches could be considered. Approaches 
which take into account the communications channels over which viruses 
pass seem particularly important. 

One interesting generalization of the current notion is inspired by [Col], 
where viruses are assumed to be capable of evolving. The 'Mutating 
Viruses' (^-viruses) partially defined next are an attempt to capture this 
property. 



Definition 12 Forallz,z' € N , for allp } p',q = q 1} q 2 , q z , q' = q[, q' 2 , 
S, for all sets H of partial functions from N to N , < p,q >~< p', q' > iff: 

(a) z — z' and 

(b) p — p' and 

(c) there exists an i, with 1 < i < z such that qi ^ and 

(d) for i = 1,2, ...,z, either 

i. qi = q[ or 

ii. there exists an h £ H such that h(qi) J. and h(qi) = q±. 
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Definition 13 For all sets of partial functions H from N to N, for all 
partial f,g : N -» N, for all s,t £ S, /(*,<) £ g(s,t) iff f(s,t) I 
& g(s,t) | & f{s,t)Zg(s,t). 



Definition 14 For all sets of partial functions H from N to N, for all 

H 

partial f,g:N—>N, for all s,t € S, f{s,t) S g{s,t) iff f(s,t) = g(s,t) 
or f(s,t) ~ g{s,t). 



Definition 15 For all Godel numberings of the partial recursive functions 
{4>i}, a set M of total recursive functions is a mutating virus, n-virus, with 
respect to {<&} iff both: 

(a) for all m 6 M , for all d,p 6 S either: 

i. Injure: 

(Vi, j E N)[4> m{i) {d,p) = <f> mU) {d,p)} 

ii. Infect or Imitate: 

M 



Some computer viruses which have recently caused problems (e.g. the 
so called 'Scores virus' [Up] which attacked Macintosh computers) are /i- 
viruses and not just viruses. Hence this generalization of the notion of 
virus may be of more than theoretical interest. 

This is only a partial definition because some notion of 'connectivity' is 
needed. That is, the union of two /^-viruses, neither of which 'evolves' 
into the other should not be a /i-virus. Many definitions of 'connectivity' 
can be defined, but further study will be required to choose those which 
are most appropriate. Once an appropriate choice is made, an important 
question will be whether the set of infected indices of a ^i-virus can be 
harder to detect than those of a virus. 

4. Computer Organisms. 

This issue has evolved during joint work with K. Kompella. 
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There appear to be programs which can reproduce or reproduce and injure 
but which are not viruses (e.g. programs which just make copies of them- 
selves but never 'infect'). These 'computer organisms' may be a serious 
security problem. 

It may be appropriate to study 'computer organisms' and treat 'computer 
viruses' as special case. 
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Abuses in Cryptography and How to Fight Them 

(Extended Abstract) 



Yvo Desmedt 
Dept. EE & CS, Univ. of Wisconsin - Milwaukee 
P.O. Box 784, WI 53201 Milwaukee, U.S.A. 

Abstract. The following seems quite familiar: "Alice and Bob want to flip a coin 
by telephone. (They have just divorced, live in different countries, want to decide 
who will have the children during the next holiday.). . . " So they use [Blu82j's ( or an 
improved) protocol. However, Alice and Bob's divorce has been set up to cover up 
their spying activities. When they use [Blu82]'s protocol, they don't care if the "coin- 
flip" is random, but they want to abuse the protocol to send secret information to 
each other. The counter-espionage service, however, doesn't know that the divorce 
and the use of the [Blu82j's protocol are just cover-ups. 

In this paper, we demonstrate how several modern crypto -systems can be abused. 
We generalize [Sim83bJ's subliminal channel and [DGB87]'s abuse of the [FFS87, 
FS86] identification systems and demonstrate how one can prevent abuses of crypto - 
systems. 

1 Introduction 

[Sim83b] introduced the notion of subliminal channel. His example is related to two 
prisoners who are communicating authenticated messages in full view of a warden, 
who is able to read the messages. The subliminal consists in hiding a message through 
the authentication scheme such that the warden cannot detect its use nor read the 
hidden part. At Crypto'87, [DGB87] discussed a similar scenario by demonstrating 
that the [FFS87,FS86] identification systems can be abused for sending secret mes- 
sages in an undetectable way. Claiming that he is identifying himself, [DGB87] en- 
ables, for example, a mafia Godfather to communicate under the F.B.I. 's very nose 
without having to worry that it would be detected. In this paper we will generalize 
these undetectable abuses and subliminal channels. We prefer to use the term abuse 
in the general context and reserve the word subliminal in the special context that 
it is an abuse of an authentication or signature system. We will briefly demonstrate 

S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 375-389, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 
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that many modern crypto-systems can be abused (see Section 2). Abuses (in par- 
ticular subliminal channels) are not covert channels in the strict way, as will briefly 
be discussed in Section 2.2. 

The main purpose of this paper is to make abuse-free crypto-systems (including 
protocols). In Section 2.3, we will propose the main tool, while in Section 3 we 
will give general solutions to solve the abuse problem. Specific applications, such as 
coin flipping over the telephone, and subliminal-free authentication- and signature 
systems will be focused on in more detail in Section 4. 

2 Abuses 

2.1 An introduction 

The problem of fraud, such as eavesdropping and modification of messages, is well 
known. It can be said that modern cryptography studies the methods used to protect 
data against several types of fraud. A crypto-system protects data against a subset of 
frauds. For example, [BG84] protects the information against an eavesdropper who 
would use ciphertext-only and known- plaintext, but not chosen ciphertext attacks. 

Let us now discuss what an abuse is. In order for our definition to make sense, 
we need a warden, as in [Sim83b]. If A uses a crypto-system or is a party of a 
protocol, we say that A can abuse the system if she is able to use it for a different 
purpose than for which it is intended. An abuse is undetectable if it is impossible 
for the warden to detect (in polynomial time) that A uses the abuse. It is trivial 
to make detectable abuses. So we will only discuss undetectable abuses and will call 
them briefly: "abuses". A particular abuse is that A is able to send (encrypted) 
information to other parties involved besides the warden. 

A formal and more general definition of an abuse can be given (see [Des]), but 
this formal definition is complex and therefore not covered here. Informally, if A 
is supposed to use a crypto-system C (or is a party of a cryptographic protocol), 
but uses a different special system (C), we say that A can abuse the system if the 
numbers that she sends: 

• do not allow the warden to distinguish (in polynomial time) between normal 
use and special use, 

• allow a participant (e.g. B) to distinguish with high enough probability. 

It is trivial to understand that an abuse can consist in replacing the random which 
is used in a crypto-system by pseudo-random, or even by the output of a one-time 
pad. The user who abuses a system can find the use of his abuse more important 
than endangering the security of the system, in particular his secret. Abusing sys- 
tems as: [Blu82], and zero-knowledge is trivial and it is remarkable that this aspect 
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of crypto-systems has never been studied before beside in a narrow context as au- 
thentication [Sim83b] and identification [DGB87]. Remark that the goal of an abuse 
can be considered as the opposite of the goal of zero-knowledge. 

2.2 Abuses versus covert channels 

It is important to remark that, strictly speaking, abuses are not covert channels. 
According to [Lam73, p. 614]: 

Covert channels, i.e. those not intended for information transfer at all, 
such as the service program's effect on the system load. 

A more general definition can be found in [Dep83, p. 110]. 

It is very important to observe that the Lampson definition implies that abuses are 
not covert channels. Indeed, messages are transmitted in crypto-systems so they are 
intended for information transfer. For example, a zero-knowledge protocol intends 
a very small information transfer. 

In this paper we will only discuss abuses and not covert channels. Leaking infor- 
mation through methods such as time jitter, crosstalk and amplitude modulation, 
as discussed in [Sim88, p. 626], are covert channels, and thus not a topic of this 
paper. 

Whether bur solutions against abuses can be extended to covert channels is a 
new, open question. The author admits that the difference between abuses and 
covert channels is debatable, and that one could claim that abuses are very special 
covert channels. In this paper we consider them to be different. What makes abuses 
so unique is that the hidden information is a "number", and that one can hide it 
by using a crypto -system. Formalizing the definition of covert channels could imply 
that the new open problem can be solved. 

2.3 Abuse-freeness 

We will say that a warden is passive if he is just observing the communication 
between the participants. In the narrow context of authentication, which was studied 
in [Sim83b], the warden was also passive. Our main solution against abuses is based 
on an active warden W who does not only listen to catch up subliminal senders, but 
also interacts in the communication in a special way to better enforce the subliminal- 
freeness. In other words, he participates actively in the communication between all 
participants and he can modify the "numbers" that are communicated. The only 
trust in the active warden consists in believing he will not help to set-up an abuse. 
One could compare the active wardens with Simmons' idea used to exclude the use 
of analog covert channels [Sim83a, p. 65]. The main difference is that the active 
warden is digital. 

Informally, we said that a system can be abused if another system exists such 
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that the warden cannot distinguish between normal execution and the execution of 
the other system, while a participant can. So, abuse-freeness can be considered as 
the logical negation of the existence of an abuse. It means: if a participant is able 
to distinguish between execution of the normal system and a different one, then the 
warden can distinguish it also, as well as for all possible different systems, which 
are different from the normal system. Hereto the warden will modify the numbers 
that are transmitted. An exact and more formal definition is given in [Des], but not 
included here because it is too lengthy and complicated. 

Evidently, the action of the warden may not endanger the security of the system. 

2.4 Practical aspects of the warden 

One could wonder if it is possible to construct abuse-free crypto-systems where the 
warden is passive. In Section 3.3 we will briefly discuss this topic. 

In our solution, one assumes that there is one (active) warden. In some situations, 
as in the verification of treaties [Ada88,Sim88], it is in reality sufficient and achiev- 
able to have only one active warden. However, in some circumstances having only 
one warden is insecure or impractical. [Des] discusses these situations and proposes 
better models. Let us briefly overview them. 

Goutier [DGB87] remarked that the subliminal sender can also send information 
to others who are eavesdropping on the communications. Indeed, passive and active 
eavesdroppers can be subliminal receivers. In this paper, we assume that this isn't 
the case. It is not hard to generalize our results in order to solve the problem 
of eavesdroppers who are subliminal receivers by using two wardens to protect a 
communication link, one at each end of the line. These two wardens could trust 
or distrust each other. Some of our protocols can easily be adapted to it. Other 
problems are: 

• that we assume that the warden himself will not try to abuse the system; 
implying that we trust the warden will not try to send hidden information, 

• speed and number of interactions between warden and participants, 

• that it is not excluded that participants have been able to hide a covert or 
physical channel with small capacity. The warden is unaware of this extra 
channel. The existence of this hidden channel could imply that the system, 
which was originally abuse-free, is no more due to this extra information. 

We call this last problem the collapse problem. These topics and how to solve them 
are discussed in [Des]. 

We now discuss how the idea of an active and censoring warden can actually be 
used. The main techniques that we use are: commitment, zero-knowledge [GMR], 
and the one-time pad crypto-system. 
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We will start by discussing the more general cases first. Proofs will not be given 
because they require a formal definition. 

3 Abuse-free systems in a general context 

Zero-knowledge allows A to restrict leaks of information if A wants. We demonstrate 
that a warden can enforce A not to leak information, even if A tries her hardest. 
Hereto, we first discuss in Section 3.1, in general terms, how to generate a public key 
in an abuse-free way. We then discuss how to make interactive and non-interactive 
zero-knowledge abuse-free. 

3.1 HOW TO GENERATE A PUBLIC KEY IN AN ABUSE-FREE WAY 
Motivation 

Publishing a public key can be abused. To illustrate, suppose that A publishes a 
public key n = pq, where p and q are primes of 100 digits. If A is able and/or allowed 
to give B a 100 digit number e.g., p, it is trivial to understand that, by publishing n, 
A is able to leak 100 digits of extra information to B (for improvements see [RS85]). 
Another method for leaking information is to choose p and q such that the least 
significant bits of n have a special form not required by the specifications. 

So the process of publishing a key is abuse-free if the key is guaranteed to be 
random beside the specifications e.g., a product of two large different primes both 
congruent to 3 modulo 4. 

A solution could be that the warden chooses the public key of A. However, this 
allows the warden to become Big Brother. We exclude this solution. 

A solution 

To generate the public key, A normally chooses some random number, R and verifies 
if R satisfies conditions, C and if so calculates public key, P = GEN(J2), where GEN 
is a publicly known algorithm. However it is also possible that R is not suited (does 
not satisfy C) e.g., p and q that are composite numbers are unsuited for RSA. In 
the last case, we require that A must be able to convince the active warden, W that 
this R is unsuited to make P. Roughly speaking, to obtain an abuse-free public key, 
A will use her own generated random (R) exored with random (R') generated by W, 
to make the public key P. The following protocol makes it clear that no cheating is 
possible. 

First W and A agree on a commitment algorithm (or circuit) E, such that the 
commitment can be verified in random polynomial time. They also agree on algo- 
rithm TESTC to verify that R satisfies conditions C, and on algorithm TESTNOC 
to verify that R does not. We then have: 
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Step 1 A chooses a (random) binary string R = (n, r 2 , . . . , r;) of I bits, an appro- 
priate fc, and A sends M = Ek(R) to W as a commitment for R. 

Step 2 W chooses a truly random binary string R = (r^r^, . . . ,r{) of / bits and 
sends it to A. 

Step 3 A calculates S = (r a ©rj, r 2 ffir 2 , . . . , r ; ©r{) (© is exclusive or). Shortly we 
denote S = R®R'. If S satisfies conditions C (case 1) then A calculates 
P = GEN(S) and sends P to W. A then proves to W that there exists 
R = (n, r 2 , . . . , rj) and fc such that: 

M = E k (R) A TESTC (i? © R') A P = GEN (R © i?') . 

This proof has to be zero-knowledge. Else (case 2) A convinces W that 5 
does not satisfy conditions C. In this case, A can even reveal R and to 
convince W. 

Step 4 W verifies A's proof. If this proof fails, W stops protocol, efoe one con- 
tinues. In the case that a P was delivered by A (case 1), W publishes A's 
public key P and protocol halts. Else (in case 2) the protocol restarts from 
the beginning (Step 1). 

Important remarks 

Security (privacy of the secret key) and abuse-freeness of this protocol are proven 
in [Des]. The security is based on the assumption that the commitment algorithm 
is hard to invert. Indeed, if the commitment algorithm could be broken, the warden 
will know A's secret key. The abuse-freeness is unconditional. 

In most cases the zero-knowledge proof which is given in Step 3 is impractical and 
too slow, certainly when it has to be based on [GMW86]. But because public keys 
are only generated occasionally, this is of less importance. If we would use [BC86], 
the unconditionally of the abuse-freeness disappears. 

3.2 Abuse-free interactive zero-knowledge 

Many practical zero-knowledge protocols can be made abuse-free. We will mainly 
give a general result by demonstrating how to make the [GMW86] zero-knowledge 
proof of 3- colour ability abuse-free, and indicate how one can make the [BC86] zero- 
knowledge proof for SAT abuse-free. Let us start with [GMW86]. 

We use the same notation as in [GMW86, pp. 176-177], but we number the edges 
as E = {0, 1, . . . , m — 1} and we call the prover, A and the verifier, B. One agrees 
that the protocol will always end after J iterations, / in function of the (security) 
parameters. The main problem is that A will reveal (7r($(u)),r u ) and (7r(^(u)),r„), 
which could be abused. A similar approach as in Section 3.1 could be followed 
but would be very impractical. The following protocols avoid this. It i3 organized 
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such that all numbers that are sent cannot be abused. The warden will influence all 
numbers that are transmitted from A to B and vice-versa. 

Step 1 A chooses a (random) permutation it € Sym({l, 2, 3}) and (random) 
r„, r' v and k v (large enough) and computes the commitments Ry = 
f(n(<t>(v)),r v ) and K v = f(k v ,r' v ) (for all t; £ V), and sends R x , R 2 , 
. . . , R„. and K x , K 2 , . . . , K n to W. 

Step 2 W chooses a truly random it' £r Sym({l, 2, 3}) and truly random k[ ,k' 2 , 
. . ., k' n and sends them to A. 

Step 3 A calculates it" = tt'-k and < = k v © k' v and R' v = f{^"{<f>{v)),r'^) (for all 
v e V) and sends R' V R^,,..., R' n to W. 

Step 4 W chooses truly random s v and calculates R" — f(R' v ,s v ) (for all v 6 V) 
and sends i??, . . . , R% to 5. 

Step 5 selects (at random) an edge e € E and a (random) £ and sends 5 = 
/(e,t) to W. 

Step 6 W chooses a truly random e' 6r -E and sends it B. 
Step 7 B reveals e and t to TV. 

Step 8 W verifies if e £ E and checks whether S = f(e,t). If both conditions 
are satisfied, ^en W calculates e" = e + e' mod m (edges where hereto 
specially numbered) and sends e" to A. Else W stops protocol. 

Step 9 Let (u,v) correspond with e", where u,v G V and u < v. A reveals 
(ff"(#u)), <, r u ) and (tt"(#i;)), <, r„) to W. If e" $ E (W cheats), 
then A stops. 

Step 10 W uses the information revealed by A to check R' u . Then W calculates k u 
(k u = r"© &„) and verifies K u . He then calculates n(<j>(u)) (starting from 
ir"((f>(u)) and it') and verifies He does exactly the same to verify R' v , 
K v and Ry. W then checks if Tt(<f>(u)) ^ ~(<f>{v)) and ir(<f>(u)),ir(<j>(v)) 6 
{1,2,3}. 7/ either condition is violated, W rejects and stops protocol, 
else W reveals (tt"(0(u)), r", s«) and (tt"(^(u)), s„) to 5. 

Step 115 checks if R'^ = f(f(n"(<f>(u)), <), O and similar for He also checks 
if 7r"(^(u)) ^ 7r"(<?(u)) and tt"(^(u)), tt"(^(w)) G {1,2,3}. // either con- 
dition is violated, B rejects and stops protocol, eke one continues with 
the next iteration if the number of iterations is less than / (else stops and 
B accepts). 

As in [GMW86], <j> is never released. Their main theorems remain valid, so abuse- 
free zero-knowledge protocols exist for all NP languages. The abuse-freeness of the 
above protocol is not unconditional. 
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If W is forced to stop the protocol (see Step 8 and Step 10), one could correctly 
remark that A or B has succeeded in leaking one bit of information. However, this 
is not an abuse according to our definition because the warden can detect it, too. 
In practice it means that one is able to leak one bit of information (the fact that 
W was forced to stop the protocol), however, the risk to be caught is too high to 
attempt it. The same remark is valid for most protocols that we will discuss further 
in this paper. We will not repeat this remark. 

Let us now explain how to make [BC86] zero-knowledge proof abuse-free. We 
will use the same notations as in [BC86]. Here, we only demonstrate how A can 
prove, in an abuse-free way, to B that b\ = b 2 without revealing them. It is then 
trivial (see [Des]) to extend the results to make the [BC86] zero- knowledge proofs 
abuse-free. We assume that B has published abuse-free y € QR n and n, such that 
n = pq where p and q are both primes congruent to 3 modulo 4 and convinced A 
by using a [GMW86] type abuse-free zero-knowledge protocol that y and n satisfy 
the conditions. Remark that the requirement that y, n and the last proof have to 
be abuse-freeness can be relaxed. This means, for example, that if A would know 
the factorization of n, it would not help him to abuse the following protocol. The 
abuse-free protocol to prove that bi = b 2 is as follows: 

Step 1 A chooses a (random) u>i, such that gcd(tei,n) = 1 and calculates z\ = 
±w\y il mod n. A calculates z 2 in a similar way. A then calculates w as in 
[BC86] (if 6x = 1 and 62 = 1 then w = w x w 2 y mod n, else w — W\W 2 mod 
n). A sends zi, z 2 and w to W. 

Step 2 W verifies if Ziz 2 = iw 2 mod n or if ziz 2 — i:w 2 y mod n. He also verifies 
if the Jacobi symbols (zj \ n) = 1 and (z 2 | n) = 1. If either condition 
is violated W stops protocol, else he chooses truly random ip\ and tp 2 
coprime with n and sends z[ — ic^>\z\ mod n, z' 2 = ±ip 2 z 2 mod n and 
u> = ^\ij) 2 w mod n to B. 

Step 3 B verifies if z = z' x z' 2 = ±w 2 mod n, then &a = b 2 , else 61 ^ b 2 . 

The abuse-freeness is unconditional and the protocol is practical. Remark that 
in the original [BC86] proof, n didn't have to have the special form we request, and 
the ± were not used in the protocol. Without these modifications it would have 
been impossible to make the protocol abuse-free without increasing the overhead 
enormously. Purdy made the observation to the author that the test of the Jacobi 
symbol can be eliminated by choosing p = 3 mod 8 and q = 7 mod 8. However, it 
must then be replaced by a test for gcd, which is almost as involved. 

3.3 Abuse-free non-interactive zero-knowledge 

Non-interactive zero- knowledge protocols were introduced by [BFM88]. Let us briefly 
discuss, from our point of view, the main ideas used in it. Prover and verifier share 
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a common random string (the rand tables). The verifier does not need to toss secret 
coins, however, the prover tosses secret coins. When A proves a theorem, we say 
that she feeds here private random coin tosses into the proof mechanism. 

The main problem from our viewpoint is that nothing guarantees that the prover 
will indeed toss coins and will not proceed differently in order to abuse. We now 
sketch how one can make abuse-free non-interactive zero-knowledge (more details 
are in [Des]). 

In the set-up process each individual makes a secret abuse-free seed, in a similar 
way as in Section 3.1. This means that the individual, A, chooses a number, R, 
and that she sends the warden W a commitment to R. The warden, W, chooses 
a random number R' and sends it to A. We call S = R(& R' (bit by bit exclusive 
or) the abuse-free seed. Let us now discuss how to proceed when A wants to prove 
a theorem r in non-interactive zero- knowledge. A uses a commonly agreed upon 
pseudo-noise generator which starts from the abuse-free seed. The output of that 
generator is fed to the proof mechanism. To understand the idea, it is important to 
observe that by knowing the seed, the proof mechanism is a deterministic process. 
A now also generates a non-interactive proof to demonstrate that she used the seed 
S in the correct way and that indeed S = i? © R', where the R' had been chosen 
earlier by the warden and that she committed herself to R. R itself will never be 
released! So the warden receives two non-interactive zero-knowledge proofs: the first 
for theorem r and the second to prove that A "decently behaved" when she was 
proving the first theorem. The warden verifies both theorems and will censor the 
second one. If both are correct, the warden publishes (or sends) the first proof. 

The abuse-freeness is not unconditional. A problem of the above solution is that 
it suffers from the collapse problem. Indeed, suppose that there exists for a few days 
a covert channel with small capacity between the prover and a verifier, which cannot 
be controlled by the warden, W. If the prover sends to that verifier the seed S (secret 
previously unknown), then the zero- knowledge disappears from a practical point of 
view (it is still theoretically zero- knowledge). The prover can then later abuse the 
non-interactive protocol to send the complete proof to the verifier and the warden 
will believe falsely that the verifier will not learn more than the fact to be convinced 
that the prover knows a proof. The protocols discussed earlier in this paper didn't 
suffer from this collapse problem. 

The warden in this scenario is less active than in previous ones. His only action 
is verification and censoring, we therefore call him: censoring warden. The idea of 
censoring warden opens the question if it is possible to reduce the warden's role 
to a passive one keeping the abuse-freeness. If it would be possible to generate true 
randomness and to prove in some zero-knowledge way that indeed the numbers are 
truly random, then the above open problem could be solved. In this context, one could 
think to use [GMW86, p. 182] ideas to prove paeuiiorandomness, however in many 
of the systems discussed here the abuse-freeness is unconditional. So the question 



384 



is if one can benefit from both unconditional abuse-freeness and a passive warden. 
Making the warden less active does not necessarily imply that the system becomes 
more practical. Indeed, the above solution is, for the moment, completely impractical 
because the prover has to perform a tremendous amount of work. 

4 Abuse-free crypto-systems: in narrow contexts 

We will briefly discuss particular abuse-free crypto-systems which are more useful 
for daily life applications. 

4.1 Abuse-free privacy 

It is possible to make probabilistic public- key encryption systems as [BG84] abuse- 
free. This may seem meaningless. However, it could be that a warden allows A to 
send m encrypted bits but no more. This can be achieved by making it abuse-free, 
regardless of the fact that [BG84] expands the data. 

4.2 Abuse-free authentication and signatures 

Based on [GMR88], zero-knowledge and the idea of an active warden, a "practical" 
abuse-free (public-key) authentication system and a less practical abuse-free signa- 
ture system were presented by the author in [Des88]. The author, [Des88] observed 
also that in the case that zero-knowledge is combined with [GMR88] for authenti- 
cation purposes, the authentication tree can be dropped without endangering the 
proven secure aspect of the scheme. We now discuss a more practical abuse-free 
signature system. 

We briefly discuss here how one can make an abuse-free signature system based 
on [FFS87,FS86|. Let (n, I x , . . . , I k ) be an abuse-free public key, such that n = pq, 
where both p and q are congruent to 3 modulo 4 and I{ = s] mod n. We assume 
that n has indeed this form and that the warden has been convinced of this for once 
and for all. When A wants to sign the message m: 

Step 1 W chooses truly random r, £ QR- n , and random fc; and sends £^,(7^) 
(1 < i < t) as commitments to A. 

Step 2 A picks (random) p* € QR n and computes i; = p\ mod n and sends these 
Xi to W. 

Step 3 W reveals (r\,k) to A. 

Step 4 A verifies commitment. If satisfied, A computes x\ = r}xi and computes 
e,j starting from i|, in a similar way as in [FS86]. 

Step 5 One continues in a. similar way as in [FS86] with the xj. W verifies if A 
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has used the r,-. A has to prove (using zero-knowledge) to W that all the 
numbers thai she has sent, except the e, ; -, axe quadratic residues mod n. 
Then W publishes the signature. 

The problem that / is non-random remains, which implies that problems arise to 
prove the security of the signature system, similarly as in [FS86]. Two aspects of 
the above protocol can be improved by modifying it. The above protocol is not 
unconditionally abuse-free. Indeed if the commitment function E can be broken, 
then A can abuse it. This evil can be overcome by changing the protocol so that 
A is committing herself, instead of the warden, similarly as it was in all previous 
protocols. In Step 5, it was mentioned that A has to prove that all numbers (except 
tij) axe quadratic residues, this includes all p,-. One can drop the zero-knowledge 
proof for pi if pi £ Z+ 1 = {y € Z* \ (y \ n) = 1}, and if the warden can choose 
randomly, with uniform distribution, in polynomial time y's with Jacobi symbols 
(y | n) = 1. Details of the modified algorithm are described in [Des]. 

4.3 Abuse-free coin flipping over the telephone 

We now apply our tools to make a modified version of Blum's protocol abuse-free. 

We will base our solution on this assumption: it is hard to determine if a number 
is a quadratic residue mod n. If Alice (A) and Bob (B) want to flip a coin, then the 
following protocol is abuse-free: 

Step 1 A (with W) generates an abuse-free public key n, which is the product of 
two large distinct primes both congruent to 3 modulo 4, using the protocol 
of Section 3.1. 

Step 2 A generates a (random) X, such that gcd(X, n) = 1 and sends Y = 
±X 2 mod n to W. 

Step 3 W checks if the Jacobi symbol (Y \ n) = 1. // it is not 1, then W stops 
protocol (or asks another Y), else W generates truly random X' and ±1, 
such that gcd(X',n) = 1 and sends Y" = ±YX n mod n to B. If the 
warden's ±1 is 1, then g' = 1, else g' = 0. 

Step 4 B guesses if Y" is a quadratic residue mod n. If he thinks it is, then he 
sends g = 1 to W, else he sends g = 0. 

Step 5 W sends g" = g © g' to A. 

Step 6 A calculates the outcome of the protocol g" © q, where 5 = 1 when Y is 
quadratic residue (mod n), otherwise q = 0. A then reveals X to W. 

Step 7 W verifies Y. If it is correct, then W reveals X" = X • X' mod n to B, 
else W stops protocol. 
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Step 8 B verifies Y". B must still be convinced that n is of the appropriate form. 
Hereto: 

Step 9 A (with W) proves to B that n is of the appropriate form by using an 
abuse-free zero-knowledge protocol. 

Step 10 B verifies this abuse-free zero-knowledge protocol. If satisfied, B calcu- 
lates g © q" as the outcome of the protocol, where q" = 1 if Y" turns out to 
be a quadratic residue, else q" — 0. Remark that A and B have the same 
outcome, in other words g © q" = g" © q. 

Notice that A and B are not able to abuse one bit, not even the outcome bit. 
Even if W collaborates with A (or similarly with B), A cannot benefit from this 
collaboration to influence the outcome of the protocol in her favor. 

The above protocol is not unconditionally abuse-free. The impossibility that A 
could abuse the coin-flip is unconditional, but B could do it if it were easy for him 
to determine whether a number is a quadratic residue. This means that there is a 
small collapse problem. Indeed, if a hidden channel not under control by the warden, 
exists for a while between A and B, A could use it to send the factorization of n 
to B. Later (when the hidden channel is no longer), when A would choose her ± 
in Step 2 in a way that B could predict, B is able to calculate, from Y", what 
the warden's choice for g' was. This allows him to choose his g in such a way that 
g" — g ffi g' contains the subliminal information for A. The collapse problem is a 
direct consequence of the fact that the protocol is not unconditionally abuse-free. 

The above protocol is very practical beside the fact that in Step 1 one makes 
an abuse-free public key n. The question, if it is allowed to drop this condition as 
long as A proves to W that n is of the appropriate form, can be derived from the 
discussion about the small collapse problem, higher up. 

[Blu82] already suggested authenticating all communications. It is possible to 
come up with a system such that A and B can flip a coin in an abuse-free way and 
authenticate the coin-flip in an abuse-free way by using our ideas of Section 4.2. 

5 Theoretical and practical consequences: conclusion 

Zero-knowledge allows A to restrict leaks of information if A wants. This paper 
demonstrates that a warden can enforce A not to leak information, even if A tries her 
hardest. Solutions were presented in a general context and practical solutions were 
presented in particular contexts. In some of these practical protocols, the warden's 
role is minimal and it is mainly a multiplication. 

Applications of abuse-free cryptography are in the area of international commu- 
nications as: international bank transfers, authentication of international messages, 
and treaty verification [Sim83a,Sim88] (in the context of authentication without pri- 
vacy). If coin-flipping and similar protocols had been used on a large international 
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scale, abuses would have formed a threat for (national) security. The above proto- 
cols prevent this danger in such a way that users of the system do not have to trust 
the warden's integrity. Objections against the use of (public key) cryptography (as 
in [PK79, p. 344]), in particular against authentication, grounded on the fear that 
terrorists would be able to communicate encrypted information, now vanishes when 
abuse-free systems are used. So, it also promotes the commercial use of cryptology. 

One can wonder if the above solutions are applicable to covert-channel-free com- 
putation and computer-security in general. 
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HOW TO (REALLY) SHARE A 8ECRET 1 



Gustavus J. Simmons 
Sandia National Laboratories 
Alfcuguergue, New Mexico 87185 

Introduction 

In information based systems, the integrity of the 
information (from unauthorized scrutiny or disclosure, 
manipulation or alteration, forgery, false dating, etc.) is 
commonly provided for by requiring operation (s) on the 
information that one or more of the participants, who know 
some private piece (s) of information not known to all of the 
other participants, can carry out but which (probably) can't 
be carried out by anyone who doesn't know the private infor- 
mation. Encryption/decryption in a single key cryptoalgor- 
ithm is a paradigm of such an operation, with the key being 
the private (secret) piece of information. Although it is 
implicit, it is almost never stated explicitly that in a 
single-key cryptographic communications link, the transmit- 
ter and the receiver must unconditionally trust each other 
since either can do anything that the other can. 

Even if it can't be assumed that all of the elements in 
a system are trustworthy, so long as there exists at least 
one identified unconditionally trustworthy element (indi- 
vidual or device) , it is generally possible to devise proto- 
cols to transfer trust from this element to other elements 
of unknown trustworthiness to make it possible for users to 
trust the integrity of the information in the system even 
though they may not trust all of the elements. A paradigm 
for such a protocol is the cryptographic key distribution 
system described in ANSI X9.17 which makes it possible for 
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users who have had no previous contact, nor any reason to 
trust each other, to trust a common cryptographic session 
key because they each unconditionally trust the key distri- 
bution centers (KDC) . 

The more common (and hence the more realistic) situation 
is that there are no identified unconditionally trustworthy 
elements in a system. Instead, the most that can be assumed 
is that while any specific element may be suspect, i.e., 
possibly subject to either deliberate or inadvertent compro- 
mise, and hence untrustworthy insofar as the faithful execu- 
tion of the part of the protocol entrusted to it, that there 
are some (unidentified) elements in the system which are 
trustworthy. Under these circumstances there is apparently 
only one way to improve the confidence one can have in the 
integrity of the system over the confidence one has in the 
integrity of the individual elements, and that is by intro- 
ducing some form of redundancy. To protect against random 
failures of devices, this is commonly achieved by parallel 
or by series-parallel' operation of redundant elements or by 
even more complex logical interconnections. In the case of 
individuals, though, since the failure may be both deliber- 
ate and clandestine, redundancy typically takes the form of 
requiring the concurrence of two or more knowledgeable per- 
sons to carry out an action. A paradigm for this would be 
the well-known two-man control rule for access to, or the 
control of, nuclear weapons. The k-out-of-i shared secret 
or threshold schemes first discussed by Blakley [10] and 
Shamir [33], and subsequently by numerous other authors [see 
the bibliography] , are a natural generalization of this 
concept. In fact, shared secret schemes exist that are 
adequate to the task of insuring shared capability if all 
that is needed is a simple k-out-of-i participation for the 
reconstruction of a secret piece of information essential to 
the system functioning. Ideally, any collusion of k-1 or 
fewer of the holders of information — even if they pool 
their private pieces of information in an effort to cheat 



392 



the system — should have no better chance of success than 
an outsider who knows no private information at all. 
Schemes in which this latter condition holds have been char- 
acterized as "perfect" by Stinson [33,34]. We merely remark 
that several perfect k-out-of-i shared secret or threshold 
schemes have been described in the literature. Many of 
these schemes are also unconditionally secure in the sense 
that the security they provide is independent of the comput- 
ing time or power that an opponent may bring to bear on 
subverting the system, or, put in another way, even with 
infinite computing power would-be cheaters can do no better 
than guess (with a uniform probability distribution on the 
choices available to them) at the secret. If the secret is 
a function (such as one of the coordinates, or the largest 
coordinate, or the norm of the coordinates, etc.) of a 
(secret) point in some n-dimensional vector space over a 
finite field GF(q), then by choosing q large enough we can 
make the system be as secure as we wish for an arbitrary 
k < J. These are "plain vanilla" shared secret schemes for 
which several implementations have been devised [see the 
references flagged with an * in the bibliography]. Conse- 
quently, there is no difficulty in providing (and imple- 
menting) simple shared secret schemes for arbitrary choices 
of k and i and for any desired level of security. 

Real-world applications, however, require rather consid- 
erably more in the way of capabilities in shared secret 
schemes than a simple k-out-of-i concurrence for an action 
to be initiated. In this paper we will do two things: 
first enumerate and briefly describe eight of these extended 
capabilities and then (in compliance with the unanimous 
recommendation of the reviewers) describe in detail how to 
realize only one class of these extensions in order to keep 
the length of this paper within reasonable bounds. 
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Capabilities Required for Various "Real" Applications of 
Shared Secret Schemes 

The new capabilities (over and above the simple 
k-out-of-i shared secret schemes) are: 

• Compartmented 2 ki~out-of-ii shared secret schemes in 
which the private information is partitioned in such 
a way that reconstruction of the secret requires a 
specified level of concurrence by the participants in 
some specified number (perhaps all) of the compart- 
ments (ki concurrence is required of the members of 
the i tn compartment) . 

Multilevel 2 ki~out-of-ii shared secret schemes in 
which the private information is partitioned into two 
or more levels (classes) in such a way that concur- 
rence of the specified number of participants at any 
one of the levels will permit the secret to be recon- 
structed (ki concurrence by the members of the i^* 1 or 
higher levels is required) . 

• Extrinsic as opposed to intrinsic shared secret 
schemes, i.e., schemes in which the value of a pri- 
vate piece of information to the reconstruction of 
the secret depends only on its functional relation- 
ship to other pieces of private information, and not 
on its information content (in an information theo- 
retic sense) . 

• Prepositioned shared secret schemes in which the 
holders of the private pieces of information are 
unable to recover the secret information, even if 
they all collude to do so, until such time as the 
scheme is activated by communicating additional 
information. 

• Prepositioned shared secret schemes in which the same 
collection of private pieces of information can be 



2. Ue have adopted standard security terminology in which information is classified into levels 

(classifications) and into compartments (need to know) to describe the two types of partitioning 
of the private pieces of information in a shared secret scheme. 
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used to reveal different secrets depending on the 
choice of the activating information. 
Proof of correctness of the reconstructed secret 
information to a confidence of * 1-Pd» where P<j is 
the probability of guessing the secret. 

• Tolerance of erroneous inputs of some number, s, of 
the private pieces of information, i.e., the correct 
secret information will be calculated even though s 
of the inputs are in error, where s is a design 
parameter. 

• A cryptographically secure mnemonic technique to make 
it possible for the participants to recover a private 
piece of information that they can't remember using a 
piece that they can. 

It is easy to conceive of situations in which it might 
be desirable that some action require a preselected level of 
concurrence by two or more parties in order for the action 
to be executed. For example, a treaty might require that 
two out of a Russian control team and two out of a U. S. 
team agree that the controlled action is to be taken before 
it could be initiated. What is different about such a com- 
partmented scheme from the simple k-out-of-i schemes, is 
that no matter how many of the participants of one nation- 
ality (compartment or part) concur, the action is to be 
inhibited unless the preselected number of the other nation- 
ality also concur. Clearly, there is nothing special about 
partitioning the private information into only two parts 
(compartments) . The specific application will determine how 
many parts are needed to effect the type of concurrence 
desired. 

In Animal Farm, George Orwell's animals have a slogan 
"All animals are equal, but some animals are more equal than 
others" which is certainly descriptive of the apportionment 
of authority in most organizations. While it is not true, 
for example, that two members of the Joint Chiefs of Staff 
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equal one President, it is easy to conceive of circumstances 
in which the President might wish to delegate authority to 
the Joint Chiefs to initiate some action with the proviso 
that "If two of you agree that the circumstances warrant, 
then this is what you should do...." On the other hand, 
there are also plausible scenarios in which the concurrence 
of larger numbers of persons with lesser authority (and res- 
ponsibility) could act in the stead of smaller numbers of 
higher authority. For example, it might well be the case 
that any senior officer of a bank can authorize an elec- 
tronic funds transfer up to some specified limit, but that 
in the absence of a senior officer, any two senior tellers 
could do so, etc. The point is that authority in the real 
world is typically different for different classes (levels) 
— like it or not — and that consequently control schemes 
for information, i.e., shared secret schemes, need to 
reflect this class structure. We describe such schemes as 
multilevel ki-out-of-ii schemes, where realistically the 
number of levels is small and the values of the ki are 
determined by the requirements of the application. The 
notion of a hierarchy of shared secret schemes was already 
anticipated in Shamir's paper, but in a form (intrinsic) 
that as we shall see has very serious deficiencies for real- 
world applications. 

In a multilevel system, the persons holding the private 
pieces of information are grouped into classes (levels) such 
that the private information one class has is more (or less) 
valuable in recovering the secret than that which another 
class has. In all of the perfect shared secret schemes that 
we know of, the private pieces of information are not used 
to directly reconstruct the "secret" itself but instead are 
used to reconstruct an algebraic variety (a line, a plane or 
other linear subspace in many of the previously reported 
schemes but more generally complex varieties defined by 
polynomial constraints in an n-dimensional space) whose 
description, i.e., precise specification, is unknown to the 
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holders of the private information. If there were no other 
constraints, a multilevel system would be trivial to realize 
for any set of ki, since a simple shared secret scheme is 
possible for each kj_. To realize a multilevel system, the 
jth class could simply have its own separate and distinct 
ki~out-of-ii shared secret scheme. This might be acceptable 
in some applications, but not in general. If, for example, 
a bank vault can be opened by either two VP's or three 
senior tellers, it would probably be unacceptable that one 
VP and two senior tellers not be able to open it. If the 
capabilities (private pieces of information) of members of 
the more privileged classes are to be usable when they 
cooperate with members of other less privileged classes, 
then the schemes are forced to be functionally related. We 
know how to do this in two ways, which leads into the dis- 
cussion in the next paragraph of extrinsic and intrinsic 
shared secret schemes. 

To illustrate an intrinsic shared secret scheme, assume 
that we have a 4-out-of-i scheme in some n-dimensional space 
over GF(q) . The private pieces of information are points in 
the space, i.e., n-tuples over GF(q), chosen so that any set 
of four of these points suffice to define the secret but any 
set of three or fewer will provide no information whatsoever 
about the secret. Clearly we could construct a 2-out-of-i 
class by making the private pieces of information for the 
members of this more privileged class consist of pairs of 
the points out of the original set, i.e., two n-tuples. In 
fact, this is how Shamir proposed to realize what he called 
hierarchical control schemes. This type of construction of 
the private pieces of information is what we call an intrin- 
sic scheme in which the value of a piece of private informa- 
tion (i.e., its contribution toward recovering the secret 
information) is internal to the private information itself. 
In an information theoretic sense, the more privileged 
pieces of information are more valuable simply because they 
contain more information about the shared secret. This 
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means that the most privileged members would be responsible 
for the largest amounts of private information, and in the 
case of several levels with widely differing ki perhaps 
responsible for infeasibly much information for them to 
handle (securely) . Such hierarchical schemes have been 
discussed before, not only by Shamir [32], but by Ito, et 
al. [23], and other authors. 

In an extrinsic scheme all the private pieces of infor- 
mation are alike in an information theoretic sense, say the 
coordinates of a single point in some n-dimensional space, 
and its value in recovering the secret is determined not by 
anything internal to that piece of information but rather by 
the functional relation between that particular piece of 
private information (point) and the private pieces of infor- 
mation (points) held by the other participants. In other 
words, the value is determined by something external to the 
private pieces of information. An extrinsic scheme does not 
penalize the more privileged classes by requiring them to 
handle more information than members of less privileged 
classes. 

Prior to the results described here, there was no means 
known to realize either extrinsic multilevel control schemes 
or compartmented (multipart) schemes. Ito, Saito and 
Nishizeki [23] had devised an intrinsic general access con- 
trol scheme which, however, can not be extended to an 
extrinsic scheme and all (k,i) threshold schemes can be 
adapted in an obvious way to intrinsic (hierarchical) 
multilevel schemes similar to those Shamir proposed [32]. 

In a prepositioned shared secret scheme, say a simple 
k-out-of-i scheme, the i pieces of private information can 
all be placed in the hands of the participants in advance of 
when the scheme will be needed? with the added property that 
until the scheme is activated by providing some additional 
information, that even if all I of the private pieces of 
information were to be exposed in violation of the protocol , 
the secret would not only not be exposed but it would be 
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just as unlikely to be recovered, i.e., just as secure, as 
if none of the private pieces of information had been com- 
promised. Only when the additional piece of information is 
made available does the system become activated, after which 
any set of k of the pieces of private information will allow 
the secret to be recovered. It is worth remarking that 
there is a trivial realization of a prepositioned shared 
secret scheme by simply making i = k-1, i.e., by designing a 
k-out-of-i shared secret scheme, in which all of the private 
pieces of information when taken together are inadequate to 
recover the secret, but such that one more piece (the acti- 
vating information) is required. We are not interested in 
such schemes since they fail to meet the most fundamental 
requirement of k-out-of-n systems, namely, avoiding the 
necessity to have to bring together a designated set of k 
private pieces of information in order to reconstruct the 
secret information. The main reason for being interested in 
prepositioned shared secret schemes is that the (relatively) 
large quantity of private information can be disseminated, 
authenticated, etc., in times of low stress and easily 
available communication and the small quantity of informa- 
tion needed to activate the scheme can be communicated under 
extreme duress — such as a state of advanced alert for the 
military or even the outbreak of war. 

A relatively new discovery is the possibility of setting 
up a prepositioned shared secret scheme, i.e., preposition- 
ing the private pieces of information, with the additional 
property that there are several activating pieces of infor- 
mation available, each of which would lead to the recovery 
of a distinct secret piece of information. This could be a 
very valuable characteristic in some military applications 
where there are several different actions — any one of 
which higher command might wish to enable — but subject to 
a k-out-of-i shared secret control in execution. The basic 
idea is that one needn't change the private pieces of infor- 
mation (which would require a great deal of communication, 
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authentication, etc., and presents an enormous human factors 
problem) in order to change the secret protected by the 
shared secret scheme. 

If the consequence of exercising a shared secret scheme 
is immediate — for example, if after the VP's enter their 
private pieces of information, the bank vault door either 
opens or it doesn't — then there is no need to provide a 
supplemental indication that the correct value for the 
secret has been recovered. If however the effect is dis- 
tant, in either time or physical location, then it may be 
vital to the acceptability of the scheme that the partici- 
pants have an immediate indication that the correct value of 
the secret has been reconstructed. If, for example, a 
shared secret scheme is to be used to control the enabling 
of a warhead in a missile, it is clearly desirable to have a 
confirmation that the correct value has been entered prior 
to launch as opposed to learning that the weapon had not 
been enabled after its arrival at the target. Providing an 
indication that the correct secret has been reconstructed is 
similar to the function of error detecting codes which, in 
probability, indicate when a received code word is in error, 
although we hasten to add that the functions are not iden- 
tical. This last remark requires more discussion than is 
appropriate to an abbreviated description of the extended 
capabilities for shared secret schemes, but basically it is 
possible to cause a shared secret scheme to indicate when it 
has reconstructed the correct secret even though the secret 
itself was unknown prior to the reconstruction (and not 
available from any other source for direct comparison after 
reconstruction to determine its validity) . This is similar 
to being able to verify a digital signature without being 
able to utter one. In general (but not in all cases which 
is the basis of the preceding remark) , this costs one more 
piece of private information to achieve than is necessary 
for a simple shared secret scheme, i.e., k+1 instead of k 
inputs of private pieces of information. 
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If the capability discussed in the preceding paragraph 
was only similar in function to error detecting codes, the 
capability of recovering from erroneous inputs of private 
pieces of information is precisely the same as the function 
of error correcting codes. In other words, we can design 
shared secret schemes so that up to s of the inputs can be 
in error and not only will the correct value for the secret 
be found, but if we desire, a proof of correctness can be 
output to show that the right value has been reconstructed. 
Clearly this cannot be done for free, since if only k inputs 
are needed and s can be in error, k-s of the participants 
could collude and input their correct private pieces of 
information, after which any s random inputs would suffice 
to recover the secret. Roughly speaking (not so roughly as 
a matter of fact since the result is true within one 
required input) k+s+1 inputs of private pieces of informa- 
tion are needed to guarantee k-concurrence (i.e., k-man 
control) , recovery from s erroneous entries, and a positive 
indication of the correctness of the secret value recovered. 

Several authors have addressed the problem of detecting 
cheating (falsified inputs) in a secret sharing or threshold 
scheme [13,16,17,28,36]. McEliece and Sarrwate [28] 
actually construct a secret sharing scheme based on a Reed- 
Solomon error detecting and correcting code which can toler- 
ate s incorrect entries. In their construction any set of 
k + 2s participants (holders of private pieces of informa- 
tion) will be able to correctly reconstruct the secret so 
long as at most e of the inputs are incorrect or falsified. 
Tompa and Woll [36] give a construction for an uncondition- 
ally perfect k-out-of-i shared secret scheme. In both of 
these constructions the participants will (probably) be able 
to tell that cheating has occurred, but they cannot neces- 
sarily determine who the cheaters are. The combinatorial 
scheme of Brickell and Stinson [13] is also an uncondition- 
ally perfect k-out-of-i scheme which also has the property 
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that the cheater (s) will be identified in the process (with 
high probability) . 

Finally, in this list of capabilities, if k-1 inputs of 
correct private pieces of information are to provide no 
information whatsoever about the secret information, then 
every other piece of private information must appear com- 
pletely random even though k-1 pieces are known. This says 
that an unknown n-tuple, if the setting is in an n-dimen- 
sional space over some GF(q), must itself appear random, not 
in all n coordinates, but effectively in o of them if the 
secret is a dimensional; by which we mean that the equivo- 
cation about the secret must be the same as the uncertainty 
of guessing a point in an a-dimensional space over GF(q) . q 
must be large enough to provide the desired level of secur- 
ity against random picking of points. By present-day compu- 
tational standards, 56 bits is regarded as barely large 
enough to be secure, witness the continuing debate over the 
long-term security of the DES , but 100 bits is unquestion- 
ably secure against a brute-force search of the key space. 
However even the modestly secure limit of 100 bits is a 20 
alphanumeric character string that must appear totally ran- 
dom by the remarks above, which is beyond anyone but a stage 
memory expert's ability to recall. Since shared secret 
schemes are not communication channels, the standards for 
the security of a communications cryptographic key do not 
necessarily apply. But even at 56 bits or 12 alphanumeric 
characters as required for a DES key, it is still impossible 
for most people to recall a random string of this length as 
their private piece of information. Fortunately, there 
exists an approved mnemonic technique for generating a one- 
time key of sufficient length, using easily remembered pri- 
vate phrases or verses, to permit the secure recovery of 
something that can't be remembered (the random appearing 
private piece of information) from something that can (the 
private phrase) . 
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There are a great many other technical aspects of shared 
secret schemes which need to be considered, however the main 
ones which we have been able to identify that affect the 
operational acceptability of these schemes have been des- 
cribed here. 

The Basic Construction for Shared Secret Schemes 

We illustrate the essential elements in the construction 
of shared secret schemes using the simplest possible exam- 
ple: a 2-out-of-i scheme. Let the secret be a single 
numerical value, i.e., having a 1-dimensional uncertainty, 
which is equivalent to the identification of a point, p, on 
a line, L<j. 

. p L d 

. . • . ... 

Figure 1. 

If we now consider to be embedded in the projective plane 
PG(2,q), and randomly choose any other line, Li, in the 
plane, Li »< I^j, then the private pieces of information can 
be taken to be distinct points on Li, none of which are the 
point p. Li is kept secret, only the fact that such a line 
exists, etc., is public knowledge. For the purposes of this 
paper, L<j will be assumed to be known a priori. There are 
applications in which this is not the case, but we will not 
have time to discuss them here. 
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X 

Figure 2 . 
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Any pair of points on Li determine the line and thence its 
intersection with Ld; the point p. On the other hand, know- 
ing any one of the points, q, on Li leaves p totally unde- 
termined since for each choice of a point, r, on there 
exists a unique line <q,r> lying on q and r which could 
(with equal probability) be the unknown line Li — in which 
case the (secret) point of intersection of Li with would 
be the arbitrary point r. Therefore every point on Ld is an 
equally likely candidate to be the secret point p given 
either no knowledge of the private pieces of information 
(points on Li) or else of only one private piece. In this 
example, since p could (equally likely) be any point on the 
line, Pa = 1/q+l, while the number of participants, i, can 
be as great as q, i.e., any point on Li other than p could 
be used as a private piece of information. 

It should be remarked that the point p, although it is 
unknown in advance of the 2-out-of-i scheme being exercised, 
is not itself the secret. The secret is recovered by evalu- 
ating a predesignated function, f, at the point p: f could 
be as simple as one of the coordinate values of p or the 
distance of p from some reference point or it could be a 
much more complex function. Whatever the function is, it is 
assumed to be known a priori so that as soon as p is deter- 
mined, so is the secret. There are restrictions on f that 
must be satisfied in order for it to be suitable for this 
sort of application. For example, if f were a simple parity 
check (on the coordinate values) mapping the points on Ld 
into the set (0,1), then the uncertainty about the secret 
would be at most one bit irrespective of how many different 
values p could take. For our purposes, we assume that f 
conserves entropy, i.e., that the uncertainty about f(p) is 
the same as the uncertainty about p. 

Returning to the simple example shown in Figure 2 ; p was 
an (unknown) point in a larger set — all of the points on 
the line L^. The secret revealing function, f, is defined 
(at least) on all of the points in V(j and as mentioned 
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above, conserves entropy. It is worth noting that it is 
immaterial (to the secret sharing scheme) whether f is also 
defined for points in the plane not on L^. In our construc- 
tion of shared secret schemes, the line will be replaced 
by a more general type of geometrical object — an algebraic 
variety, V^, in some n-dimensional space: i.e., the set of 
points in L<j satisfying a set of specified polynomial con- 
straints. This collection of points, any one of which could 
be the unknown point p, we will refer to as the domain (var- 
iety) for the function f hence the notation Vd. The line Li 
can be thought of as "pointing" to the point p in L<j. In 
the most general formulation, the private pieces of informa- 
tion (points in the n-dimensional space) suffice to define a 
second algebraic variety, Vi, whose function it is to 
"point" to the point p in Vq> We will say that Vi is the 
indicator (variety) using the term indicator with its pre- 
ferred meaning of pointing to or indicating a specific item, 
i.e., of pointing to the point p. p we will call the index. 
Without saying precisely how the private pieces of informa- 
tion determine the indicator, pictorially our shared secret 
schemes are of the form: 




Figure 3 . 

where Vi and V<j are two algebraic varieties having only the 
single point p in common. The indicator Vi is shown as a 
line in Figure 3 to emphasize the fact that it is pointing 
to a unique point in V<j, but in general it can be any 
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algebraic variety satisfying the conditions for a shared 
secret scheme. In order for the scheme to be acceptable, we 
will also require that any compromise (collusion) of less 
than the required number and types of private pieces of 
information will leave every point in V(j an equally likely 
candidate to be the unknown point p. As mentioned earlier 
Stinson has characterized shared secret schemes meeting this 
latter condition as perfect [33,34] and we will adopt that 
terminology also. 

An example of a perfect 3-out-of-i scheme is shown in 
Figure 4 . 

z 




X 



y 

Figure 4. 

The private pieces of information are points in general 
position in the indicator (plane) Vi, i.e., none of them are 
p and no three (including p) are collinear. The domain is 
the set of points on the line V^. f could be any entropy 
conserving function defined on the points in V(j, say the 
value of the z-coordinate if Vd is chosen not to lie in a 
plane perpendicular to the z axis. To see that this scheme 
is perfect, consider the case in which two holders of pri- 
vate pieces of information collude in an attempt to cheat 
the system. The two points that they know defines a line, 
I, in Vi which does not intersect Vj. Given any point r on 
Vd there exists a unique plane <i,r> lying on i and r which 
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is equally likely to be the unknown variety Vi as that 
determined by any other point on V^. Consequently, for this 
collusion all points on V(j are equally likely candidates to 
be the unknown point p, and the scheme is perfect. It is 
worth remarking about the construction of Figure 4 that 
while the secret can be any one of q+1 points on the line, 
Vd, so that the security of the scheme is P,j = 1/q+l) , the 
number of participants, I, could be as great as q or q+1 
depending on whether q is odd or even, respectively. This 
follows from the well known result that the maximum number 
of points that can be selected in the plane PG(2,q) such 
that no three of them are collinear is a set of q+1 points 
on a conic (plus the nucleus of the conic of q is even) and 
that the point p is neither collinear with any pair of the 
private points nor equal to any one of them. The point of 
the remark is that while we wish to make P(j be small, i.e., 
for the scheme to be secure, which requires that q be very 
large, i is normally quite small. There is a price exacted 
for this unused capacity as we shall see later. 

The construction of perfect shared secret schemes pro- 
ceeds in two steps. First we must find two families of 
algebraic varieties which intersect pairwise in single 
points, i.e., one of which can be considered to indicate a 
point in the other. In order for such a construction to be 
applicable to constructing shared secret schemes it must 
also be the case that all of the points in the domain vari- 
ety can be indicated by the varieties of the other type, and 
in fact, the even stronger restriction must hold that each 
point in the domain is an equally likely index of the indi- 
cator (variety) as the indicator ranges over all possible 
values. The second step is: given two families of algebraic 
varieties satisfying these conditions, one must devise ways 
to define a unique member of one of these families that 
requires the specified level of concurrence on the part of 
the holders of the pieces of private information. In the 
two simple examples this took the form of 2-out-of-i or 
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3-out-of-i concurrence in order for the indicator (a line or 
a plane in the examples) to be reconstructed. In general, 
the required concurrence can be arbitrarily complex; for 
example, at least one member of each of n committees must be 
present for a vote to be binding or two, or three, etc. The 
point is that we want it to be possible to reconstruct the 
indicator variety only when the specified concurrence occurs 
and for it not only to be impossible in all other cases, but 
that the even stronger result will hold that every point in 
the domain, V^, will be equally likely to be p in all other 
cases (collusions) . 

Our constructions will generally be based on a simple 
result from point geometry — the rank formula: 

(1) r(S) + r(T) = r(S n T) + r(S u T) 

which holds for all subspaces S and T of the n-dimensional 
projective space PG(n,q) or Q n in short. For notational 
consistency the empty subspace is defined to have rank 0 and 
dimension -1. To illustrate how (1) applies, consider the 
following construction: »i and *2 are planes in a 4-dimen- 
sional space, Q 4 , which do not lie in a common 3-dimensional 
subspace. *■]! u *2 = Q 4 in this case, and we have 

r(jri) + r(*2) = 3 + 3 = r(*i u w 2 ) + r(*i n * 2 ) 
= 5 + r ( * i n k 2 ) 

Therefore, 

r(*i n * 2 ) = 1 

and 

* 1 n K 2 ~ P ' P a point. 

Restated; in 4-dimensional space any pair of planes that do 
not lie in a common 3-dimensional subspace intersect in a 
point. Clearly this is a candidate construction for the 
pair of varieties we need to construct a shared secret 
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scheme. We still have to show that the desired uniformity 
of intersection holds, i.e., that for a fixed *i, as *2 
ranges over all of the planes in Q 4 that do not intersect wi 
in a line, each point of *i will occur equally often as the 
intersection n *2< To see that this is true, fix x\ and 
choose any line i in Q 4 skew with respect to »i. Let q be 
an arbitrary point in *i, then <g,i> = * is the unique plane 
lying on q and i. If % n *i were a line 2*, i.e., if * u »i 
is a 3-dimensional subspace of Q 4 , then 2* and 2 are both in 
w and hence must intersect in a point. But this point would 
be in both 2 and *i which contradicts the assumption that 2 
is skew to h-j,. Therefore w and *i intersect in only the 
single point q. But q was an arbitrary point in »i, hence 
for each skew (to w\) line i there is a unique plane on 2 
intersecting »i at point q. Now let 2 range over all lines 
skew to *i, etc. 

We now show how the geometrical result of the preceding 
paragraph can be used to construct a 3-out-of-i shared 
secret scheme to conceal a 2-dimensional secret. V<j is an 
arbitrary, but known a priori, plane in the 4-dimensional 
projective space Q 4 . Vi is a randomly chosen plane which 
does not lie in any common 3-dimensional space with V^. A 
possible selection procedure for Vi is to choose a point q, 
q / Va, and a point r, r / <V<j u q>. Note that q / V<j 
implies by the rank formula that <V^ u q> is 3-dimensional. 
<q,r> is a line skew to V<j. Now choose (with a uniform 
probability distribution) a point p c V^ and define 

Vi = <p, <q,r» . 

The private pieces of information will be points in Vi none 
of which are p, and no three of which (including p) are 
collinear. Clearly this is a 3-out-of-i shared secret 
scheme which can indicate any point p in V<j. A simple adap- 
tation of the uniformity argument proves that the scheme is 
perfect even if two of the pieces of private information 
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(points in Vi) are combined in an attempt to cheat the sys- 
tem. In this case the secret can be any one of the q 2 +q+i 
points in the plane V^, so that P<j = l/(q 2 +q+l), while i is 
at most q or q+1 depending on whether q is odd or even as 
remarked earlier. 

There are a couple of other important points to make 
about shared secret schemes in general. In the construction 
of a perfect 3-out-of-i shared secret scheme to secure a 
1-dimensional secret shown in Figure 4, the private pieces 
of information were points in a 3-dimensional space, i.e., 
3-dimensional themselves. An alternative construction for a 
perfect 3-out-of-2 scheme which also secures a 1-dimensional 
secret is: 



y 




Figure 5. 



where any three points on Vi suffice to define the quadratic 
curve and hence the point p at which it intersects V<j. The 
private pieces of information in this case are 2-dimensional , 
i.e, points in the plane. These two examples show that not 
only is a shared secret scheme not fixed by the specifica- 
tion of the level of concurrence (k-out-of-i) and the dimen- 
sion of the secret which is to be secured, but that even the 
dimension of the space in which the scheme is implemented — 
and hence the dimension of the private pieces of information 
— is not determined. 
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This leads to the second, and most important, observa- 
tion: the information in the private pieces of information 
is not all of the same type in the sense of how it must be 
secured. To see this, consider the simple 2-out-of-i scheme 
shown in Figure 2. The private pieces of information are 
points on the line Li, i.e., 2-tuples of the form (xj,yj). 
It is not necessary to keep both of these coordinate values 
secret in order to protect the secret from improper recov- 
ery. One of the coordinate values can be kept secret, say 
yj , which we indicate by (yj^) , while the other need not be 
kept secret but only its integrity (against substitution, 
alteration, deletion, etc.) needs to be insured. It is easy 
to show that in the most damaging collusion possible for 
this scheme (an insider misusing his private information 
(xj, (Yj) ) and the exposed values xi,...,Xj for all of the 
other participants) that all points on Vjj will be equally 
likely candidates to be the index p and hence that the 
scheme is still perfect. 

Clearly the information content in a private piece of 
information must be at least or great as in the secret, 
otherwise a collusion of (k-1) -parties would be faced with a 
lesser uncertainty in guessing a missing piece of private 
information (and hence in recovering the secret) than the 
uncertainty they are assumed to have about the secret — 
clearly a contradiction. In the example just given, 
H(yj) = H(p) , i.e., the information content in the part of 
the private piece of information that has to be kept secret 
is exactly the same as the uncertainty about the secret 
itself. As we shall see for the constructions described 
here this is always possible. What does differ from one 
realization of a shared secret scheme to another (having the 
same specifications) is the amount of information in the 
private pieces of information which doesn't have to be kept 
secret. 
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Perfection; At what Price? 

The reader has probably wondered why we introduced two 
varieties in our model for shared secret schemes, one of 
which was defined by the private pieces of information, and 
then defined the index to be their intersection instead of 
simply defining the index directly in terms of the private 
pieces of information; and whether both of the varieties are 
necessary. A discussion of the main reason for introducing 
the domain variety (in addition to the clearly essential 
indicator variety) will be deferred until a later paper how- 
ever the simple answer to the question is that the domain 
can be dispensed with — but only by sacrificing perfection 
for the shared secret schemes when k < i. 

To illustrate the difficulty, consider the simplest 
possible example of a k-out-of-i shared secret schemes, 
k < I, in which the private pieces of information directly 
determine the index shown in the construction in Figure 6. 
The index in this example is a point, p, in the plane and 
the private pieces of information are a pencil of lines on 
P- 
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Figure 6. 

Since any two of the lines determine p, while a knowledge of 
any one of them leaves p (linearly) indeterminate this is a 
2-out-of-i s3 for a 1- (2?) -dimensional secret. The ambigu- 
ity as to the dimension of the secret is due to the fact 
that each insider knows that p must lie in the 1-dimensional 
variety which he knows and hence p is only 1-dimensional in 
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uncertainty to him, while to an outsider p has 2-dimensional 
uncertainty since it could be any point in the plane. 

Since k = 2 in this example, the only improper insider 
collusion possible is that of a lone individual trying to 
misuse his private piece of information. As a result, this 
example does not adequately illustrate what happens when 
k > 2 and the index is derived directly from the private 
pieces of information without the aid of an indicator. To 
show what happens in general, let the secret, p, be a point 
in a 3-dimensional space and the private pieces of informa- 
tion be a bundle of planes all containing p, but no three of 
which contain any common line. This is clearly a 3-out-of-i 
shared secret scheme for a 3-dimensional (to outsiders) 
secret: any pair of the planes defines a line containing p 
which, since it isn't in any of the other planes, must 
intersect each of them at p. 



z 




y 

Figure 7. 



However, the secret is only of 2-dimensional uncertainty to 
any single insider since he knows p must be in the plane 
which is his private piece of information and of only 
1-dimensional uncertainty to any pair of insiders since they 
know p must be common to both their planes and must there- 



413 



fore be contained in the line of intersection of the two 
planes. The problem is that the index is contained in each 
of the private varieties in all of these examples (and in 
general in this type of shared secret schemes) and is iden- 
tified by the intersection of sufficiently many of the pri- 
vate varieties to determine the index. As a result, the 
successive intersections define a sequence of, if not mono- 
tonically decreasing, at least nonincreasing (in dimension) 
varieties converging to the point p. It isn't possible to 
make this sequence of intersections be equal to the dimen- 
sion (> 1) of the secret through the penultimate, (k-l)-st, 
step in the reconstruction of the secret and then on the 
final step at which the k-th private variety is introduced 
to suddenly become of dimension 0. This might be possible 
if the order in which the various pieces of private informa- 
tion had to be used could be specified in advance, but a 
shared secret scheme must be immune to compromise by all 
subsets of k-1 or fewer insiders and in whatever order they 
choose to collude. Hence this isn't possible. Conse- 
quently, erosion of the uncertainty about the index with 
increasing numbers of persons in a collusion is an inherent 
shortcoming of all shared secret schemes in which the index 
(set) is determined directly from the private pieces of 
information. 

An interesting observation, though, is that this need 
not be true if k = i. For example, a perfect 2-out-of-2 
shared secret scheme is easy to realize (for a secret of any 
dimension) . One of the participants is given a random 
point, r, in Vd and the other the vector sum (Vernam encryp- 
tion) of p with r, say p-r. Clearly this is a perfect 
2-out-of-2 scheme irrespective of the dimension of Vq> Pic- 
torially, if V<j is 1-dimensional, we have 
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Figure 8 . 
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Both the secret and the private pieces of information are 
1 -dimensional . Their sum recovers the 1-dimensional secret, 
p. To extend this scheme to a perfect k-out-of-k 1-dimen- 
sional shared secret scheme, k > 2, it is only necessary to 
give k-1 of the insiders random numbers, rj_, as their pri- 
vate pieces of information and the Vemam cipher p - Sri to 
the k-th individual. In spite of the apparent asymmetry in 
this assignment procedure which appears to give more signif- 
icant information to the holder of p - 2ri than to the indi- 
viduals whose private information is one of the ri, this is 
not the case and any collusion of k-1 or fewer holders of 
private pieces of information will be totally uncertain of p 
in the sense that it could (equally likely) be any point in 
V<3. Obviously, by construction the sum of all k of the 
points is p. Consequently, not only are all of the pieces 
of private information equivalent (in uncertainty) but more 
importantly there is no erosion of the uncertainty about p 
until the k-th and final piece of information becomes avail- 
able, at which point p is determined. 

This construction for 1-dimensional k-out-of-k shared 
secret schemes in which there is no indicator but in which 
there is also no erosion of the uncertainty about the index, 
p, with the compromise of fewer than k of the private pieces 
of information can easily be extended to the concealment of 
secrets of any dimensionality. Let p be an m-dimensional 
secret (point in Q n ) . Choose the k private pieces of infor- 
mation to be k-1 randomly chosen points, ri, in Va, and the 

. . k-1 

point p - s ri- The combining operation will be the vector 
sum — component addition in the underlying finite field. 
Under these circumstances any subset of k-1 or fewer of the 
points will leave the index completely undetermined since it 
could be any point in Vjj while the vector sum of all k will, 
by construction, be p. We remarked earlier that it wasn't 
possible to make the dimension of the secret and of the pri- 
vate pieces of information both be n in a perfect k-out-of-i 
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shared secret schemes in the space Q n if k < i. What we 
have seen in the constructions of this section is that there 
are perfect shared secret schemes in which an indicator 
doesn't appear and in which this common dimensionality is 
possible if k = i. We will utilize these perfect k-out-of-k 
shared secret schemes, later in a class of constructions for 
realizing compartmented shared secret schemes in which more 
than a single group of persons must concur in order for a 
controlled action to occur. 

The emphasis on dimension in the preceding discussion is 
slightly misleading. While it is certainly true that for a 
fixed ground space Q, less information is needed to specify 
a point in Q m than in Q n , where m < n, as we have already 
pointed out, this information is not all equally costly to 
generate, distribute or to protect. In fact the expensive 
secret part of the private information can be made to be the 
same in all realizations for a particular set of specifica- 
tions. 

The application normally dictates the level of concur- 
rence, k, required to provide the desired level of confi- 
dence in the proper execution of the controlled action and 
the number of participants, i.e., the number of private 
pieces of information that the scheme needs to accommodate. 
The application also dictates the maximum probability, P<j» 
that can be tolerated of someone (either outsiders or an 
improper collusion of insiders) guessing the shared secret 
on whose concealment the control scheme is predicated. If 
the values that the secret can assume are equiprobable, then 
the number of such values, i.e., the number of points in the 
domain, |Vd| must be at least 

|v d | ±jr ■ 
*d 

There may also be other parameters involved. For example, 
as we have pointed out earlier, it may be natural to con- 
sider the secret information as having a dimension, d, etc. 
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In summary, both the indicator and domain varieties are 
essential to the realization of a perfect shared secret 
scheme. Given the basic construction (concept) of having 
one variety point to a point in the other at which the 
secret is defined, the geometrical nature of the resulting 
shared secret schemes is virtually forced. The problem is 
to devise ways to insure that the desired level (s) of con- 
currence will define the indicator and such that no lesser 
level of collusion will reveal anything about it. There are 
also important questions connected with making such schemes 
be practical such as minimizing the amount of secret infor- 
mation that needs to be protected by the holders of the 
private pieces of information, or of making such schemes 
robust against either deliberate or unintentional erroneous 
inputs. However, the basic principal for constructing 
shared secret schemes is the same in all cases. 

An Application (and Two Realizations) of Compartmented 
Shared Secret Schemes 

We consider first the simplest possible compartmented 
scheme: there are two parties (compartments) to the shared 
control, both of whom must concur for the controlled action 
to be initiated. Because of the sensitivity of the action, 
each party wishes to impose the requirement that at least 
two members of their control team must agree that the action 
should be initiated before their party's concurrence can be 
obtained. To be less abstract, assume that there is some 
treaty controlled action that requires U. S. and U.S.S.R. 
concurrence for its initiation. Each country has a team of 
its own representatives (controllers) at the site. Because 
the controllers are trusted — but not unconditionally 
trusted — to carry out their nation's commitment to the 
protocol, each country requires that at least two of their 
controllers must concur before their national input to the 
shared control scheme is to be possible. Clearly, this is 
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quite a different control situation than occurs in a simple 
(k,i) threshold scheme. In the present case, even if all t 
of the Americans (i could be a large number) and one of the 
Russians agree, the controlled action is to be inhibited! 
For simplicity, we will assume that the secret has 1-dimen- 
sional uncertainty, i.e., that it is equivalent to identi- 
fying a point on a line. 

There are two approaches (using the construction for 
shared secret schemes described here) to constructing com- 
partmented schemes. We will describe both of them and anal- 
yze their relative efficiencies in order to justify our 
choice of a preferred scheme. The first approach is to let 
the private information for each part(y) determine a sub- 
variety V j : ordinarily a (kj-1) -dimensional subspace where 
the j-th part requires a kj-out-of-ij control. These sub- 
varieties are all chosen to be linearly independent sub- 
spaces of a common space, i.e., so that no pair of them have 
a point in common. The indicator variety is then the union 
of the required number of these subvarieties (both of them 
in the present example) . V^, as usual is a variety (sub- 
space) any point of which could with equiprobability be p. 
We have in this case 

Vi = V 1 v V 2 

and 

Vi n V d = p , 

where 

dim(Vi) = dim(V!) + dim(V 2 ) + 1 . 

This is conceptually the simpler approach since the result- 
ing compartmented scheme is essentially the same as we have 
already given for simple k-out-of-i shared secret scheme. 
Because of the complexity of the general case, we will des- 
cribe a construction of this type (for the simple two-part 
example) before describing the other type of construction 
for compartmented schemes. 
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We note that a 2-out-of-i, i > 2, control scheme always 
determines a line in some space. If the line (shared vari- 
ety) determined by the U. S. control team is to be indepen- 
dent of the line determined by the U.S.S.R. team, i.e., if 
the two lines are to be skew so that they do not intersect, 
then the subspace they span, the indicator Vi, will be 
3 -dimensional. The domain (variety), which is 1-dimensional 
from the problem statement, must be independent of the sub- 
space spanned by the two shared varieties, hence the lowest 
dimensional space in which a scheme of the type we are con- 
sidering could possibly be constructed would be 4-dimen- 
sional. This can be done as follows. Take as the two 
shared varieties a pair of skew lines, Li and L2, in Q 4 . 
The domain is a third line, V<j, skew to both Li and L2 • As 
usual in a 2-out-of-2 shared secret scheme, the private 
pieces of information will be points on the lines or L2, 
subject to the side condition that none of them are on the 
unique line, u> , that intersects all three of the lines. 3 
The points at which <•> intersects the lines Li, L2 and Vrj are 
q, r and p, respectively. The lines Li and L2 span a 3-flat 
Vi = <Li,L2> which does not contain Hence 

Vi n V d = p 

which is the index for this particular shared secret scheme. 

Since a clear understanding of how this scheme functions 
is essential to understanding the extensions to^ be described 
later, we rephrase in nonmathematical terms what has just 
been said geometrically. Any two members of the first group 



3. " Note : We prove rather sore than is needed for the present construction. In 0 3 there is a 

unique line passing through a given point, p, and intersecting each of two skew lines Li and Lj, 
neither of which lies on p. To see this, note that p and detenaine a plane, 7T. Lj inter- 
sects it in a point, q; q p p by construction since L2 does not lie on p. The line u • <p,q> is 
in ir as is the line Li , so they intersect in a point r. Hence u is the unique line lying on p 
and intersecting and Lj (in points q and r, respectively). How consider any space 0", n > 4. 
Let L^ and Lj be a pair of skew lines in a", 1.1 and Lg span • 3-dinensional subspace S of 0 n . 
Given an arbitrary (n-3)-diiaensional subspace, T, of 0", independent of S, T intersects S in a 
single point, p, by the rank theorem. Let this point, p, be the point in the above construc- 
tion, etc. We therefore have proven that in 0 n , n > 4, there is a unique line incident with 
each of a pair of skew lines and with an (n-3)-dimensional subspace independent of each of these 
lines. 
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can determine the line Li from their private pieces of 
information. Similarly any two members of the second group 
can determine the line L2- Once Li and L2 are known, it is 
easy to calculate the 3-flat they determine, in other words 
to determine the polynomial constraints that must be satis- 
fied by all of the points in Vj.. The domain Vd, which is 
assumed to be known a priori, is itself defined by a poly- 
nomial constraint. The index, p, is the unique point satis- 
fying all of these constraints. The geometry of the con- 
struction guarantees that there is one and only one point 
satisfying both. Pictorially: 



The most threatening form of collusion for this scheme 
would be if two (or more) persons from one group and one 
from the other pooled their private pieces of information in 
an effort to defeat the control scheme. With no loss of 
generality, assume that Li has been compromised and one 
point, x, on L2 ; x * r by construction. To prove that the 
scheme is perfect we must show that every point on is 
equally likely to be the secret datum under these circum- 
stances. We extend Kerchoff's criteria from cryptography to 
shared secret schemes and assume that the geometrical nature 
of the scheme is known a priori to both insiders and out- 
siders, i.e., to all would-be cheaters. By this assumption 




Figure 9. 
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a participant in a collusion knows that Li, L2 and are 
skew lines in Q 4 and that the secret datum is the point of 
intersection of Vi = <Li,L.2> with the line V^. 

Choose any point, u, on V^. An opponent knows that if u 
is to be the secret datum, it must be collinear with a point 
of Li (which has been exposed by the collusion) and a point 
on the line L2 . He doesn't know L>2 of course, only that it 
is a line lying on x and skew to both Li and V<j. Let w be 
an arbitrary point on L3.; not one of the exposed private 
points (pieces of information) since by construction none of 
these points are the (unknown) point of intersection, q, of 
u with Li. The line u>* = <u,w> lies in <Li,V<j> since u c V<a 
and w c Li. x is not in <Li,V c i>, however, since 
L2 n <Li,V{j> = r and x * r. Therefore, for each point, z, 
on u* , z + u or w, a line L2 = <x,z> is determined which is 
independent of <Li,V(j> and for which 

L2 n <Li,v<j> = z . 

Consequently, if L2 = L2, i.e., if the constructed line, L2, 
were the unknown L2 , then the secret datum would be u . This 
is true for every choice of a point w e Li, where w is not 
one of the points exposed in the collusion, and for all 
points zonw*, z »< u or w. Therefore the cardinality of 
the set of schemes lying on Li and x in L2 is the same for 
all choices of u c which for small numbers of colluders 

from group one is of the order of the cardinality of a 
2-flat in Q 4 . 

Since the private points on Li were chosen to be differ- 
ent from q, a natural question to ask is whether the equivo- 
cation about p might be a function of the number of insiders 
from group one who join in the collusion. To see that this 
is not the case consider the most extreme case possible in 
which 2 equals the number of points on the line less only 
the excluded point, q, and all I of the private points are 
exposed in the collusion. By elimination in this case, q is 



421 



unambiguously identified and exposed, and the only possible 
choice for w is w = q. For each choice of a point u c V$ 
the number of schemes on Li, x and u is the number of points 
on a line less two, since z * u or q. Therefore, even in 
this most extreme case of collusion, all points u on are 
equally likely to be p insofar as the colluders can deter- 
mine. 

Any other collusion (the line Li (or L2) or else a point 
on each line, x c 1>j_ and y t L2 or else a point on only one 
of the lines x t Li (or y c L2)} is less damaging than the 
case just analyzed, i.e., the probability of the collusion 
improperly determining the index p cannot be increased as a 
result of the opponent having less information about the 
scheme. Therefore this construction provides a perfect two- 
part scheme in which each part is a 2-out-of-i scheme. 

To summarize, a construction of the first type to real- 
ize a perfect two-party shared secret scheme to secure a 

1- dimensional secret, in which each part is a 2-out-of-i 
control scheme, is possible in four dimensions. Although we 
haven't described in detail how the private information is 
to be partitioned into the one part (dimension) which must 
be kept secret and another (three dimensions) which need not 
be, an obvious extension to the earlier discussion of the 
partitioning of the private information applies here as well. 

The other approach to realizing a compartmented shared 
secret scheme is to let the subvarieties determined by the 
private pieces of information individually indicate points 
in a space containing which can be treated as inputs to 
the overall concurrence scheme: in the present case 

2- out-of-2 since both of the parties must concur. As we 
have already seen, k-out-of-k schemes are special so it 
should come as no surprise that the compartmented scheme is 
also special in this case (in the sense that it doesn't 
represent the general behavior of such schemes) . Figure 10 
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Figure 10. 

shows a two-part scheme of the second type. Li is the sub- 
variety (line) defined by the private pieces of information 
belonging to one party and L2 is the other. The intersec- 
tion of hi with Vd is a point pi which is treated as an 
input to the perfect 2-out-of-2 scheme defined on V<j. p2 is 
determined similarly by L2. Clearly this is a two-part 
scheme . 

To prove that the scheme in Figure 10 is perfect, we 
introduce a method of proof which, while we have used it 
before, hasn't been explicitly stated. Given any shared 
secret scheme, simple, compartmented, multilevel, etc., it 
suffices to prove that the uncertainty about the index is 
the same for a more compromising collusion as it is for an 
outsider attack to simultaneously prove that it is the same 
for all lower levels of collusion dominated by the case 
under consideration. For simple k-out-of-i schemes collu- 
sions are linearly ordered, so that it is only necessary to 
consider the most damaging collusion in order to prove 
perfection (a remark we made earlier) . Compartmented and 
multilevel schemes however have a lattice (often partial) 
ordering on the collusions. For example the ordering on the 
five collusions C (0 , 0) -C(2 , l) 4 is 

4. The notation C(i,j) indicates a collusion in which i points fro* one private part and j from the 
other have been exposed. In a two-part scheme in which both parts require the same level of 
concurrence CC » » j J « CCj.i). CC0,0) is en outsider attack, etc. The notation generaliies to 
arbitrarily worry parts in an obvious Manner. 
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C(O.O) 
C(1,0) 

C(2,0) C(1,1) 

C(2.1) 



so that if the uncertainty about the index is the same for 
C(2,l) as it is for C(0,0), the scheme is perfect. 

Now consider the scheme in Figure 10. p is only known a 
priori to be a point on V(j, i.e., of 1-dimensional uncer- 
tainty to collusion C(0,0). Similarly, if one of the input 
points, say p^, is known and any other point on the indi- 
cator variety, say x, on L2 is exposed — x f P2 by con- 
struction — then, since for any point on V<j there is a 
unique line lying on it and x that could be the unknown (to 
the participants in the collusion) line L2, every point on 
L<3 is is an equally likely candidate to be p. p is there- 
fore of 1-dimensional uncertainty to collusion C(2,l) and by 
the remark, to all of the other collusions as well. Hence, 
the shared secret scheme in Figure 10 is perfect. 

The contrast between the two types of compartmented 
shared secret schemes is significant for the application we 
have been discussing and dramatic for other choices of par- 
ameters: in the present case the private information is 
2-dimensional for the second type of scheme rather than 
4 -dimensional as was the case for the first type; and with 
no real difference in capability. The only difference is 
that in the first type, all of the points on the subvari- 
eties which did not lie on the transversal u were available 
for use as private pieces of information while in the second 
type, the points pi and P2 had to be excluded. In both 
cases the part of the private information that has to be 
kept secret is only 1-dimensional. If there is no cost 
involved in insuring the integrity of the information that 
doesn't need to be kept secret the schemes are equally 
attractive, while if there is a cost the second type is the 
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clear winner since it involves only half as much information 
in the private parts. 

Unfortunately, because of the difference between 
k-out-of-k and k-out-of-i schemes the construction for the 
second type of compartmented system for this example fails 
to illustrate a very important property of this class of 
schemes. 

The smallest example which shows what happens in general 
is a scheme in which there are three parts, at least two of 
which must concur for the controlled action to be initiated. 
Each part, considered separately, is a 2-out-of-i control 
scheme. The essential feature of this example over the one 
discussed earlier is that the highest level concurrence is a 
k-out-of-i, k < 2 scheme instead of a k-out-of-k scheme. It 
is trivial to extend the construction shown in Figure 9 to 
this case, or to any number of parts, k < q where the con- 
struction is in PG(4,q) for this example. To do this we 
simply choose (appropriately) another line, L3, in the 
3 -dimensional subspace Vi to be the variety determined by 
the third party. By "appropriately" we mean that the three 
lines Li, L2 and L3 must be skew by pairs so that any two of 
them span (determine) Vi and that they all intersect a com- 
mon line u in lying on the point p. The points of inter- 
section of w with Li, L2 and L3 — q, r and s, respectively 
— are not used as one of the private pieces of information, 
although any of the q other points on a line can be. This 
later requirement is imposed so that the proof of perfection 
given earlier will still hold for this case as well. Figure 
11 shows the resulting construction. 
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V d 

Figure 11. 

We introduce the notation u Lj or u Vj to indicate the union 
of a designated concurrence of the individual parts: any 
two in this particular example. 

u Lj = Li u L2 = Li u L3 = L2 u L3 = u Lj = Vi 

The dimension of the space 8 in which the shared secret 
scheme is implemented is 

dim 8 = dim(Vd u V^) = 4 , 

and 

Vi n V d = p = (u Lj) n V d 

as was true in the construction given in Figure 9. Conse- 
quently, for the first type of construction, there is no 
significant effect in having gone from requiring a unanimous 
concurrence by the two parties to requiring only 2-out-of-i, 
2 > 2, concurrence. The second type of construction however 
is quite different from that shown in Figure 10 as is evi- 
dent in Figure 12 where a 2-out-of-3 scheme is depicted. 



426 



z 




X 



Figure 12. 

A simple 2-out-of-3 scheme is implemented in the plane 
V = Vi u V(j. The index p is defined by the intersection of 
the lines Vi and V<j. What is different is that the points 
Pi/ P2 and P3' an y Pair of which suffice to determine the 
indicator Vi, are themselves determined by the intersection 
of the lines Lj_, L2 and L3, respectively, with the plane V, 
where the lines themselves are determined by any pair of the 
private points on them. The dimension of the containing 
space 8 in this construction has increased from 2 (for the 
2-out-of-2 concurrence example) to 3. The fact that the 
dimension of the shared secret scheme of the first type 
remained fixed at 4 while the dimension of a scheme of the 
second type increased from 2 to 3 raises the question of 
whether there might be examples in which each type of scheme 
is the more efficient. We next show that this can never be 
the case. 

In general, the first type of construction defines the 
indicator, Vj_, by 



Vi = u Vj 
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where the Vj are the varieties determined by the individual 
parts, irrespective of whether k = I or k < i. In either 
case, the index is defined by 

(1) Vi n V d = p - (u Vj) n V d . 

In general, to realize a scheme of the second type 
requiring a k-out-of-i concurrence by the parts, we first 
define a space V, 

V = Vi u V d , 

and embed a simple k-out-of-2 shared secret scheme in it. 
Vi is an indicator (variety or subspace) in V which inter- 
sects V d in the index p, etc., and in which any k points in 
Vi suffice to determine it. V itself is then considered to 
be in a space 8 of a dimension adequate to allow each of the 
subvarieties , V j , defined by the individual parts to inter- 
sect V in only a single point, p j . Any k of these points of 
intersection will suffice to determine the indicator Vi and 
hence the point of intersection, p, of Vi and V d to recover 
the secret. 

The essential point to this construction is that 
Vi = u pi = u(Vj n v) 

and 

(2) Vi n V d = p = (u(Vj n V) ) n V d . 

To simplify the comparison we first consider the case in 
which all of the parts require the same level of concur- 
rence: k'-out-of-i' . If the concurrence required of the 
individual parts is k-out-of-i and the secret is d-dimen- 
sional, then the dimension of the containing space 8 is 



(3) 



dim (8) = kk' + d - 1 
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for a scheme of the first type irrespective of whether k = i 
or k < i. For a scheme of the second type, 

(4) dim(S) *= k' + d - 1 
if k « i, and 

(5) dim(B) =k'+k+d-2 

if k < 1. For the example just analyzed, k = k' = 2 and 
d = 1 so that the dimension of the spaces were 4, 2 and 3, 
respectively. Since it must always be the case that k > 2 
and k' 2 2, it is easy to see that it is always possible to 
construct a shared secret scheme of the second type in a 
lower dimension space than is possible for a scheme of the 
first type. This is also true if the individual parts do 
not all require the same level of concurrence: 

ki a k2 i ... i kj 

We then have, in analogy to the results above, 

k 

(3*) dim(8) = ^ kj + d - 1 

j=l 

for a scheme of the first type irrespective of whether k = i 
or k < i. For a scheme of the second type 

(4*) dim(S) = ki + d - 1 

if k = i, and 

(5*) dim(B) =k£+k+d-2 



if k < i. 
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In summary, in spite of the simplicity of the first type 
of construction for compartmented shared secret schemes, it 
is never as efficient (in the usage of information) as 
schemes of the second type. 

A Discussion of Exceptional Cases 

It is almost as difficult to provide for unanimity in 
shared secret schemes as it is to secure it in real-life 
situations. In this section we will discuss several exam- 
ples in which one or more of the parts requires unanimity of 
input and in which the overall control scheme may require 
either k-out-of-i, k < i, or k-out-of-k concurrence. 

The smallest — not necessarily the simplest — example 
is obtained by modifying the first problem we discussed: a 
two-part scheme in which each part required a 2-out-of-i 
concurrence. If the concurrence required for one of the 
parts is changed from a 2-out-of-i scheme to a 2-out-of-2 
scheme, it isn't obvious how to construct a compartmented 
scheme of the first type. Recall that in this type of con- 
struction the indicator, Vj_, is a subspace spanned by the 
varieties determined by the individual parts. In this case, 
since there are two parts — both of whom must concur in 
order for the secret to be recovered — Vi would be the 
union of the line, say L2, determined by the 2-out-of-i 
scheme and presumably the point, px, determined by the 
2-out-of-2 scheme. Vi must then be a plane 

Vi = <L 2 ,Pl> 

The private pieces of information for the second part are 
points on the line L2 , etc. The problem is: where are the 
two points (private pieces of information) qx and rx that 
define px for the 2-out-of-2 scheme. They can't be confined 
to the plane Vi, otherwise Vi would be determined by L2 and 
only one of the points qx or rx- Hence if the system is to 
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be perfect, it must be the case that the two points, qi, and 
ri, lie in a 3-space which contains V^. Pictorially: 
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Figure 13. 

Pl cannot be a point on L2 nor collinear with p and any 
point on L2 used as one of the private pieces of information 
for the second part. The first condition is to insure that 
when the concurrence conditions are satisfied that Vi and 
hence p will be determined. The second is to insure that a 
collusion consisting of p^ and one point on L2 will not 
reveal the secret. 

The construction in Figure 13 illustrates one (of the 
many) problems associated with k-out-of-k schemes. In this 
case the dimensionality of the containing space 8 suddenly 
ceases to obey the counting formula given earlier. If part 
one were a 3-out-of-3 or a 4-out-of-4 or in general a 
ki-out-of-ki, ki s q, concurrence scheme and part two 
remained a 2-out-of-.e scheme, S would still only need to be 
3-dimensional ; exactly as shown in Figure 13. In other 
words, we seem to have lost the functional dependence 
between the minimum dimension for the containing space S and 
the concurrence level kx which we had identified earlier. 

Now consider a compartmented scheme of the second type 
for the same example. Recall that in this type of scheme, 
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the individual parts determine indicators that point to 
points in an intermediate subspace V in which the overall 
shared secret scheme is embedded. Since this highest level 
scheme is a 2-out-of-2 concurrence for this example, V need 
only be a line as shown in Figure 8. L2 must be a line 
which intersects V = in a single point P2 . Pi of course 
is also a point on V<j; for which p = Pi + P2- The question 
is: where must the points qi and ri be located? There is 
no reason for them to be outside of the plane determined by 
L2 and V(j/ w = <L2f V d > » but is there any restriction on 
where they can be located in *? For example, the following 
construction in which qi and ri are constrained to lie on V<j 
satisfies the conditions to be a perfect two-part shared 
secret scheme, etc. 



y 




Figure 14. 

However, so does the construction 
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Figure 15. 

In both of these constructions, the dimension of the con- 
taining space S is two so that it doesn't appear to make any 
difference where the points qi and ri are located. 

On the other hand, if both parts require a 2-out-of-2 
concurrence, as does the overall scheme, there is a 
difference: 

r, P, q, P r 2 p 2 q 2 



Figure 16. 

versus 

y 




r 2 



Figure 17. 
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The question is, which of these is the proper, i.e., logic- 
ally consistent, generalization for the type of construc- 
tions we've used earlier. Increasing the number of parts 
from 2 to k doesn't differentiate between the two construc- 
tions either so long as the overall scheme requires 
unanimous agreement by the separate parts. 

We consider next a three-part scheme in which the over- 
all scheme requires the concurrence of only 2-out-of-3 parts 
and in which two of the parts are 2-out-of-2 schemes. The 
other part is a 2-out-of-i scheme. In this case, a con- 
struction of the first type is given by: 



z 




where L3 and either p^ or P2 determine the plane Vi and 
hence its point of intersection, p, with V<}. Points pi and 
P2 determine the line u , which lies in V^, but which inter- 
sects Vd at p. With the same conditions on the choices for 
Pl and P2 that had to be imposed on the choice of p, in the 
construction of Figure 13 (and for the same reasons) this is 
a perfect shared secret scheme of the first type satisfying 
the problem specifications. 

A construction of the second type is shown in Figure 19. 
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Figure 19. 

V is the plane spanned by the indicator, V"i, and the domain, 
Vd, etc., as before. L3 is a line outside of V which inter- 
sects V at the point P3. The points and vi, and q2 and 
V2 could equally well be in V or outside of V. They cannot 
be confined to be in V"i since if they were then a collusion 
consisting of any pair of points chosen from the set (P3, 
51/ r l» 12/ r 2) would be able to determine and hence p, 
in violation of the specified level of concurrence. 

It is interesting to note that here (for this particular 
example) we have the first instance we have seen in which 
the dimensionality of the optimal constructions are the same 
for both types of schemes. In answer to our earlier ques- 
tion, the k-out-of-k control schemes should be confined to 
the space V = V[ u V(j, since no gain in security is achieved 
by letting them lie outside of this space, and one dimension 
(to S) may — for some choices of specifications — be saved 
by this restriction. We have already seen this in the 
degenerate case shown in Figures 16 and 17 — degenerate 
because there is no Vi, so that V = V<j. To see this in the 
present case, assume that all three parts require 2-out-of-2 
concurrence but that the overall scheme is 2-out-of-3. An 
obvious modification to L3 in Figure 19 yields a 3-dimen- 
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sional solution. However a 2 -dimensional solution is possi- 
ble in exact analogy to the construction in Figure 16. 
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Figure 20. 

It is interesting to note that in this final example the 
constructions are identical for both type one and type two 
schemes . 

After all of this discussion of exceptional cases, our 
conclusion is the same as it was before: one cannot do 
better (in terms of the efficient use of information) in 
constructing compartmented shared secret schemes than to 
base them on constructions of the second type; in other 
words, to let the individual parts determine subindicators 
that point to points in a space V that define an indicator 
for the overall k-out-of-i concurrence scheme. 

An Application (and Realization) of Multilevel Shared Secret 
Schemes 

In the brief discussion given earlier of the various 
extended capabilities to shared secret schemes, we described 
one scenario in which any two vice presidents of a bank were 
authorized to approve an electronic funds transfer (up to 
some maximum amount) or in which any three senior tellers 
could do so. As we remarked then, for this application it 
would almost certainly be unacceptable that one vice 
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president and two senior tellers not be able to approve a 
transfer. In other words, in this and many other real-world 
applications, a participant's ability to act must hold not 
only in his own class or level but in all lower-level 
classes as well. We remark that we are only interested in 
extrinsic schemes in which the worth of a particular piece 
of private information is totally dependent on its func- 
tional relationship to other pieces of private information, 
and not (in an information theoretic sense) on its own 
information content. Otherwise the intrinsic hierarchical 
schemes described earlier would be a solution to the prob- 
lem, even though the amount of information a participant has 
to protect (keep secret) might be so great as to make the 
solution totally infeasible for practical application. In 
other words, all the pieces of private information should 
consist of n bits of information, even though some may be 
several times more effective in recovering the secret than 
others . 

Figure 21 shows a perfect shared secret scheme for the 
electronic funds transfer problem. 
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Figure 21 



Vice presidents know points on the line Vi which intersects 
Vd at the point p so that any two of them can determine Vi 
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and hence p, etc. Senior tellers know points in general 
position in the plane V2 — not on Vi — and no two of which 
are collinear with any of the private points chosen on Vi 
nor with p. Any three of them can determine V2 and hence p, 
etc- Clearly any point on Vi taken with a pair of the 
points in V2 define V2 as desired, since no such triple of 
points is collinear by construction. 

By now the reader should be very familiar (and comfort- 
able) with the way in which shared secret systems are con- 
structed. For example, if we wished to conceal a 2-dimen- 
sional secret instead of a 1-dimensional secret in a 2-level 
scheme in which level one is a 2-out-of-i scheme, we could 
use the same geometrical construction that was used earlier 
to construct a simple 3-out-of-i scheme to conceal a 

2- dimensional secret. Two planes, V2 and V^, are chosen in 
a 4-dimensional space such that they do not lie in a common 

3- dimensional subspace. This forces them to have a single 
point, p, in common. In fact, we can use the same procedure 
used earlier to construct V2, given so that a desired 
index p is the point of intersection. An arbitrary point, 
q, in V2, q * p, is chosen and the line = <p,q> used to 
determine the points for the first class participants. The 
second class participants receive points in general position 
in V2 none of which are on Vi and no pair of which are 
collinear with either p or any point from Li assigned to one 
of the first class participants. Pictorially: 




Figure 22. 
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An obvious extension to these constructions will accommodate 
an arbitrary sequence of concurrence levels, kj., and/or a 
d-dimensional secret. It would appear, therefore, that this 
completely solves the problem of multilevel schemes. 

It is only necessary to examine the construction in 
Figure 21 a little more critically to realize that there is 
more to the problem (and solution) than we have suggested. 
We remarked earlier that the amount of information that had 
to be kept secret in the private pieces of information was 
the same as the information contained in the secret itself. 
In the scheme shown in Figure 21 S is 3 -dimensional while 
the secret is only 1-dimensional . One might think that in 
analogy to what was done with the private pieces of infor- 
mation in the 2 -dimensional scheme shown in Figure 2 where 
one coordinate value was kept secret and one was exposed, 
that one coordinate value could be kept secret in this case 
as well, say z, and two exposed: (xj,yj, (z^) ) • If this is 
done however, the secret is revealed to even outsiders — 
not just to a collusion of insiders. 

Anyone knowing the nonsecret parts of the private pieces 
of information, i.e., their projection (along the z axis) 
onto the xy plane, 
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Figure 23. 
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also knows the projection of the line Vi into the line vj. 
This is easy to determine by finding any set of three or 
more col linear points in the projection. The line Vi is 
therefore known to be in the plane *■ which is parallel to 
the z axis and includes the line vj. 
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Figure 24. 



In fact the unknown subvariety must be one of the pencil 
of lines with common point p at which the line intersects 
it. The important point is that it isn't necessary to iden- 
tify Vi, only its intersection, p, with V^. Consequently p 
(and the secret) is revealed from only a knowledge of the 
nonsecret parts of the private pieces of information unless 
V<j satisfies some additional constraints. The problem goes 
away if the projection of V<j onto the xy plane is in the 
line V\, in other words, if V<j is a line in *. In the 
extreme case could be a line parallel to the z axis so 
that the entire line projects into a point p* in Vj. p* is 
the image of p under the projection along the z axis: 
P r °jz(P) = P*- V"2_ and V<i are therefore distinct lines in w , 
at least one of which must project into the entire line vj. 
The plane V 2 is not the same as *■ and in fact cannot be 
parallel to the z axis, hence its projection is the whole of 
the xy plane. 
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Figure 25. 



In this figure has been chosen to be parallel to the z 
axis so that p* is the image of all of V<j and hence known. 
Otherwise the projection of Vjj is all of Vj and the pro- 
jection of p, p*, would be unknown. 

The problem that we encountered in partitioning the pri- 
vate information into a secret part and a nonsecret part for 
the multilevel scheme shown in Figure 21 without compromis- 
ing the security of the secret is common to almost all mul- 
tilevel schemes. The solution for that particular case, 
while suggestive of the general method of solution, is not 
definitive. To better illustrate the general case, we next 
consider the two-level scheme shown in Figure 22. S was 
4-dimensional in that case and the secret was 2-dimensional 
so that the private information would be (if the previous 
examples are any guide) of the form (xj, y j , (z^ , (wj^) ) . The 
line V"i projects into a line Vj in the xy plane. In this 
case, corresponding to the plane * that was defined on vj in 
the construction in Figure 24, there is a 3 -space, S, 
parallel to the z and w axes which includes the line Vj. 
Since 8 is only 4-dimensional, the plane V(j either inter- 
sects S in a line or else contains S. By the rank formula, 
S would have to be 6-dimensional for the two subspaces to be 
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skew and 5 -dimensional for them to intersect in only a 
point. IfSnV<3 = i, i a line, then the scheme cannot be 
perfect since the equivocation about the secret would be 
only of 0(q) instead of 0(q 2 ) using the exposed (nonsecret) 
parts of the private pieces of information. It must there- 
fore be the case that V<a c S. This does not say that 

proj ZfW (Vd) = proj ZfW (V!) 

but merely that 

proj 2>w (Vd) c projj^wfVx) . 

This is analogous to the previous case in which projgfVd) 
was either the point p* (in the line Lj) or else all of Lj. 

Although it is possible to formulate general conditions 
on the subspaces which will insure that these problems are 
avoided — even if the subspaces are chosen almost at random 
— there is no gain in security nor a compensating increase 
in capability to justify this additional freedom of choice. 
Instead, in the first example we may as well take V(j to be a 
line parallel to the z axis so that proj^Vd) = P*, P* * v l/ 
and in the second to take Vjj to be parallel to the z and w 
axes so that proj z>w (Va) = p*, p* e proj ZfW (Vi) = V{ in this 
case also. If we construct the domain in this manner, 
the secret part of the private information will be totally 
lost in the projection, i.e., in the disclosure of the 
nonsecret part, and the scheme will be secure. 

Finally, given a d-dimensional secret which is to be 
secured in a t-level scheme, where the concurrence required 
at level j is kj , 

kt > kt-i > . . . > ki , 

and in which a participant at the j-th level is to be able 
to function at all lower levels (having however only the 
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capability associated with that level) we can construct a 
perfect multilevel control scheme with these characteris- 
tics. We start with an n-dimensional space, 8 = PG(n,q) , 
where n « d+kt.-l. is a d-dimensional subspace of 8 

parallel to the coordinates Xd,Xo>i, . . . ,xi. Given the 
secret point p in V<j, we construct a (kfl) -dimensional 
subspace, V-t, of 8 that intersects V<j only in the point p. 
We next choose a (kt-i - l) -dimensional subspace Vt-i of V"t 
lying on the point p. This procedure is repeated to finally 
yield a chain of nested subspaces 

Vt ^ V t -i d ... :Vi 

of dimensions kt~l , kt-i~l , • • - ,ki~l, respectively, all of 
which lie on the point p. 




Figure 26. 

The private pieces of information are to be chosen so as to 
have rank kj in Vj and to not lie in any of the higher order 
subspaces. In other words, in the construction shown in 
Figure 21, the points in V2 were chosen not to lie on Vi and 
such that no two were col linear with any of the private 
points chosen on Vj_ nor with the index, p. In general, this 
says that the points in the j-th class are to be chosen in 
general position in Vj\ Vi, such that the rank of any set 
of kj points drawn from among all of the private points in 
u Vi and the index, p, will be k j . Under these conditions 
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clearly any participant can act as a member of any lower 
class. The private information will be of the form 




and the scheme will be perfect since the secret information 
is totally lost in the projection along the first d 
coordinates. 



Conclusion 

In view of the length of this paper we merely remark in 
conclusion that the two types of partitioning of secret 
information which have been described here can be combined 
to form hybrid control schemes involving simple, multipart 
and multilevel controls. For example, it would be easy to 
devise a two-part control scheme in which both the U.S. 
military command and the U.S.S.R. military command had to 
concur in order for the controlled event to be initiated. 
The U. S. could choose to use a multilevel scheme, say one 
in which two or more generals, three or more colonels (or 
generals) five or more lieutenent colonels (or colonels or 
generals) had to concur in order for the U. S. input to be 
made. The U.S.S.R. on the other hand might have entirely 
different requirements; for example they might require the 
unanimous concurrence of three of their general staff in 
order for the U.S.S.R. input to be made. The constructions 
described here are sufficiently general to accommodate both 
arbitrary concurrence of the parties and arbitrary multi- 
level concurrence within the individual parts. There are 
concurrence schemes, however, that can't be satisfied by 
schemes of the type described here, but it appears unlikely 
that any such scheme will be of practical interest: one 
such example would be if participants A and B together could 
cause an event to be initiated but A, B and C together could 
not. 
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Abstract 

A necessary and sufficient condition on the Walsh-spectrum of a boolean 
function is given, which implies that this function fulfills the Strict Avalanche 
Criterion. This condition is shown to be fulfilled for a class of functions exhibit- 
ing simple spectral symmetries. Finally, an extended definition of the Strict 
Avalanche Criterion is proposed and the corresponding spectral characteriza- 
tion is derived. 

1 Introduction 

The "Strict Avalanche Criterion" (SAC) was introduced by A.F. Webster and 
S.E. Tavares. They write [1]: "If a function is to satisfy the strict avalanche cri- 
terion, then each of its output bits should change with a probability of one half 
whenever a single input bit x is complemented to x." The cryptographic signifi- 
cance of the SAC is highlighted by considering the situation where a cryptographer 
needs some "complex" mapping / of n bits onto one bit. Although the expression 
"complex" has no precise mathematical definition here, an information-theoretical 
approach can help assigning it an intuitively pleasant meaning. Maximizing the 
entropy H(f([xi , x 2 , ■ ■ ■ , i„])) yields zero-one balanced functions, but this alone 
certainly does not ensure the "complexity" of a function. Maximizing the condi- 
tional entropy H([f(x lt .. . , x~, . . . , x n }) ] /([z, , . . . , x it . . . , z n ])) for all i, 1 < t < n, 
leads to SAC-fulfilling boolean functions, according to the definition in [1]. It is 
proposed here to go even further, by keeping one or more input bits of / constant, 
and making the obtained "subfunctions" complex as well. It is worthwhile pointing 
out the fact that any function /' of n — 1 bits will be a relatively bad approximation 
of / if / fulfills the SAC. Indeed, the output of the best possible /' will differ from 
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the output of / with a probability of | . This lack of accuracy of lower-dimensional 
approximations is a wishable property of cryptosystems: the existence of some (rela- 
tively accurate) lower-dimensional approximation of an enciphering transformation 
could reduce the amount of work for an exhaustive search according to the dimen- 
sion of the domain of the approximation. Functions for which flipping one input 
bit always flips the output of course are still more difficult to approximate (the 
best lower-dimensional approximation is inaccurate in 50% of the cases), but their 
conditional entropy H([f(xi , ... ,57, ... , x n }) | f([xi,. ■ ■ , • • . , i n ])) is zero. 

In the first part of this paper, Boolean functions f(x) with n bits input and 
one bit output are considered. The Walsh- transform has shown to be very useful 
for the analysis of (statistical) properties of boolean functions. It is shown that a 
boolean function f(x) fulfills the SAC if and only if, for all i € {l,2,...,n}, its 
Walsh transform F(w), w - [u>i,w 2 , ■ ■ . ,va n ], fulfills 

E(-ir ■> 2 (ai) = o, 

where Z 2 denotes the n-dimensional vector space over the finite field GF(2). This 
set of conditions is shown to be fulfilled for a class of functions F(w) that exhibits 
certain "visible symmetries" arising from equalities of the form F(w) — F(w © c). 

In the second part of the paper, the requirements on a boolean function are made 
stronger, introducing the concept of "SAC of higher order". The corresponding 
spectral conditions are then established. 

2 Walsh- Spectrum of SAC-fulfilling Functions 

2.1 Spectral Characterization of Functions Fulfilling the SAC 

First, a few basic definitions, lemmas and theorems are needed. 

Definition 1 [2,3,5] If f{x) is any real-valued function whose domain is the vector 
space Z%, the Walsh transform of f(x) is defined as: 

F(w)= £ /(x).(-lpS (1) 

£€ZJ 

where w £ Z£ and x_ ■ w denotes the dot-product of x and w, defined as 

x-w = xiu>i © x 2 w 2 © ... © x n w n . (2) 
The function f(x) can be recovered from F(w) by the inverse Walsh transform; 



f(x) = 2~ n £ F( ffi H-l)**. 



(3) 
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The Walsh transform and its inverse (both defined for real- valued functions) may 
be applied to boolean functions if their values are viewed as the real values 0 and 1 . 

Very often, it is easier to work with boolean functions that take values in the 
range {1,-1}. The function f(x) is defined as 

/(*) = or /(*) = 1 - 2/(x). (4) 

The relationship between the Walsh transforms of f(x) and f(x) is stated in the 
following lemma [2,3]. 

Lemma 1 If f{x) = (-l) /(s) , then 

F{w) = -2F{w) + 2 n 8{w) : (5) 

which is equivalent to 

F(w) = 2- 1 6(w) - ^F(w), (6) 

where 

a \ f 1 , for w = 0 

Let x and i; denote two n-bit vectors, such that x and z ; differ only in bit t, 
1 < t < n. Z£ denotes the n-dimensional vector space over {0,1}. The function 
f{x) = z, z € {0,1} fulfills the SAC if and only if 

Y, /(a0 © /(&) = 2 n_1 > for a11 * with l<i<n. (8) 

If we denote by c ; the n-dimensional unit-vector with a one at the t-th place and 
zeroes elsewhere, condition (8) may be alternatively written as 

Y, /(£■) ® &) = 2n_1 . for all i with 1 < z < n. (9) 

x€Z 3 n 

We now wish to express the SAC for the case of an /-function (with range {1, — 1}). 
The following Lemma yields an alternative definition of the SAC. 

Lemma 2 f(x) fulfills the SAC if and only if the function f(x) = (-l) /<£) fulfills 

£ /(a). f{x@c i ) = 0, (10) 

for all d with Hamming-weight one. 

This lemma is easily derived, considering that if a function f(x) fulfills the SAC, 
exactly half the x € Z^ satisfy f(x) ^ f(x © cj, for all i G 1, 2, . . . ,n. This means 
that the function f(x) = ( — 1)^-^ satisfies 

f(x) ■ f{x@Ci) = -1 for half the x £. Z%, and (11) 
/(£)•/(*©&) = 1 for the other half. (12) 
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Summing up over all the i_eZ 2 " thus yields (10). The term on the left-hand side 
of equation (10) can also be represented by the convolution off(x) with itself: 

£ f(x)- f(x@c) = [fflc). - (13) 

From the well-known convolution theorem, which states that 

Ms) = £ f(y) • 9(V ©£)<=> H(w4- = F(w) • G(w), (14) 

we see that the left-hand side of (10) is also the inverse Walsh-transform of F(yL) • 
F{w) = F 2 {w), and with (3) we get: 

[/*/](£,) = 2'" £ F 2 (w)-(-iy->-* (15) 
= 2~ n £ F 2 (w)'{-i) Wi , (16) 

where we made use of the fact that c/ is of the form [0,0,... ,0,Cj = 1,0,. ..,0]. 
This, together with (5), proves the following theorem. 

Theorem 1 A function f(x\_: X{ — > {1,-1} fulfills the SAC if and only if its 
Walsh-transform F(xv) satisfies 

£ (-ir -/ 2 (at) = 0 (17) 

tc€Z™ 

for all i 6 {1,2,... ,n}. Equivalently, the Walsh-transform F{w) off(j) = 1(1 - 
f(x}) has to fulfill 

£ (-I)"' •F 2 ( ffi ) = 2"F([0,...,0])-2 2n - 2 (18) 
for alii G (1,2, ...,nj. 

Note that F([0,... ,0]) equals the number of ones in the truth table of /(x_). 
Example 1: 

Consider the function f(xX : Z\ — • {0,1}, the corresponding f[x) = 
(_l)/(s) and their respective Walsh-transforms F(xy) and F(x) given by 
the following table: 





*2 / w 2 


£3 / ^3 


/te);f(£) 


F(w) 


F(w) 


0 


0 


0 


0: 1 


4 


0 


0 


0 


1 


! 11 -1 


0 


0 


0 


1 


0 


i 1 -1 


-11 


-11 


0 


1 


1 


0 1 


-1 


-4 


1 


0 


0 


0 1 1 


0 


0 


1 


0 


1 


0; 1 


0 


0 


1 


1 


0 


1 : _i 


2 


4 


1 


1 


1 


! 1 ' A 


-2 


24 
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It is easily checked that flipping the bit x t flips the output f(x_) in 50% 
of the cases. That is true for x 3 too, but not for x 2 : flipping x 2 always 
changes ffx). Therefore, 

H(f([x h x- 2i x 3 })Y([x u x,,xJ)) = 0 

and this function does not fulfill the SAC. Indeed, when we compute 
Emez?!- 1 ) 10 ' • a2 ( a ) for >> = 1,2 and 3, we get zero for i = 1 and i = 3 
and -64 for i - 2, which does not satisfy the requirements of theorem 1. 

Example 2: 

Next, we examine another function of three bits, g(x). 



*1 / 


i 2 / w 2 


r 3 / w 3 


i 9(3L) 




G(m) 


<?(UL) 


0 


0 


0 


1 

i 

i 0 




4 


0 


0 


0 


1 


i 

! 0 




-2 


-4 


0 


1 


0 


i 

0 




-2 


-4 


0 


1 


1 


! i 




0 


0 


1 


0 


0 


! o 




-2 


-4 


1 


0 


1 


! i 




0 


0 


1 


1 


0 


i 




0 


0 


1 


1 


1 


i 




2 


4 



The reader can check that flipping any of the three input bits involves 
an output change in 50% of the cases. Therefore, this function fulfills 
the SAC and the requirements of theorem 1 can be checked to hold for 
i = 1,2 and 3. 

It should be pointed out that if a function fulfills the SAC, it does not imply 
that it is zero/one balanced, as can be seen from the following example. 

Example 3: 



x x j w x 


X 7 /\V2 


Z3 / U> 3 


hU) 


k(x) 


H(w) 


H(w) 


0 


0 


0 


0 




2 


-4 


0 


0 


1 


0 




0 


0 


0 


1 


0 


0 




0 


0 


0 


1 


1 


1 


1 ! 2 


4 


1 


0 


0 


1 


-l ! 0 


0 


1 


0 


1 


0 


i ; -2 


-4 


1 


1 


0 


0 


1 | -2 


-2 


i 


1 


1 


0 


1 1 o 


0 



h(x) takes on six times the value zero and only twice the value one, 
which doesn't prevent it from fulfilling the SAC. 
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2.2 Construction of SAC- Fulfilling Functions 

A geometrical interpretation of theorem 1 can be introduced if we look at the 
n— tuples [wi,W2, ■ • • , w n ] as the corners of an n— dimensional cube with edges of 
length one. Let's attach to each corner w = [wi,w 2 ,...>w n ] a weight equal 
to F 2 (w). The center of gravity of this n— dimensional body has the coordinates 
[wi, wi, . . . , w^] with 

Wi = — — — 2 - — = : , (19) 

for 1 < i < n. If a function f(x) : Z% — ► {1, -1} fulfills the SAC, we know by 
theorem 1 that 

£ F 2 (w)- £ F 2 (w) = 0 (20) 

E *"uo = E ( 21 ) 

And in that case we have 

_ Eu,:w i= l F 2 (W) Z W!Wis0 F\W) 

Wi = — = x = — = ; , (22) 



which shows that the coordinate w; of the center of gravity of the considered cubic 
body remains unchanged if all the weights on one "face" of the cube (face with Wi — 
0) are moved to the opposite "face" (face with u\ = 1) and conversely. Therefore, 
we can state that a function f(x) fulfills the SAC if and only if the n— cube with 
weights equal to F 2 (w) attached to its corners has a center of gravity which is 
equidistant from any two opposite "faces" of the cube, and thus from all the corners 
of the cube. The center of gravity of the body associated to the Walsh-spectrum of 
an SAC-fulfilling function therefore has the coordinates [|, |, . . . , A]. 

Example 4: 

The 3-dimensional cube associated to the function g(x) of example 2 is 
represented on the right-hand side of Fig. 1. The dark circles designate 
weights of magnitude F 2 {w) = 16. The exchange of "faces" may be 
performed in three ways: 

G\{w) = F 2 (w® [1,0,0]), 
Gl{m) = F 2 (w® [0,1,0]), 
G 2 3 (w) = F 2 (w® [0,0,1]), 



all of them yielding the same body, namely the one represented on the 
left-hand side of Fig. 1. 
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Figure 1: The 3-dimensional cubic body associated to the function g(x) of example 2 
and its associated body obtained by exchanging "faces". 



The idea that now naturally arises is to use this as a construction for new SAC- 
fulfilling functions from known ones. The pitfall is that F(w) might be taken as 
±\/F 2 {w) for each one of the 2 n w's. For the worst case where all 2" w's are 
associated to nonzero values of F 2 (w), this will yield 2 2 " possible choices for the 
mapping F(w), not all of them having valid boolean functions (i.e. 1/-1 valued) 
as inverse Walsh-transforms. In fact, a function f(x) is a boolean (1/-1 valued) 
function if and only if 



P{x) = 1, for all x& Z%. 
By the convolution theorem, we see that this is equivalent to 



(23) 



Theorem 2 [2, p. 167] F(w) is the Walsh-transform of a boolean function f(x) : 
Z% ► {1,-1} if and only if 



'—i- 0 otherwise. 



(24) 



Let 7r be an operator on Z£ which, when applied to x, permutes its indices [2, p. 165]: 



X = [Xi,X 2 



, . . . , *, n j 



7r 1 is the inverse operator such that 



We write 



7T 1 (l"X_) = X. 



(25) 

(26) 
(27) 



Example 5: 

If the permutation tt — [ivi, 7r 2 , ir 3 ] = [2, 3, 1] is applied to x = [xi,x 2 , X3], 
one gets irx_ = [121^3,^1]- The inverse operator tt -1 = [tt' x , tt' 2 , n' 3 ] in this 
case equals [3,1,2], since 7r -1 (irx) must equal x. 
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If a function f(x_) fulfills the SAC, it is easy to see that this property is preserved 
under any permutation ir of the input bits. Thus, g(x) — f(nx) fulfills the SAC too. 
Furthermore, g{x@c) = h(x) has (~l)-~-G(w) ~ H(w) as Walsh-transform (by the 
translate theorem), and this implies ff 3 (it>) = G 2 (w) for all w £ Z%. Consequently, 
H(w) satisfies equation (17) and the following theorem holds. 

Theorem 3 // f(x) : Z? — ► {1, -1} fulfills the SAC, then g(x) = g{irx®c) fulfills 
it too, for any permutation operator n and any constant c^Z^. 

For symmetry reasons, the following lemma is easily seen to be true. 

Lemma 3 The function g(x) = —f{x) (resp. g(x) - f(x)) fulfills the SAC if and 
only if f{x) (resp. f{x)) fulfills the SAC. 

At this point, we already dispose of some tools to construct SAC-fulfilling 
boolean functions, and the question arises whether it is possible to construct all 
SAC-fulfilling functions with those tools. Computer experiments were carried out, 
in order to find such functions 

(i) by exhaustive testing of all the 2 2 " existing boolean functions of n bits (n = 3 
and n - 4), 

(ii) by making use of Theorem 3 and Lemma 3 (but without trying out all possible 

assignations G{w) = ±\J F 2 (w)). 

This established the fact that the above construction does not generate all the 
SAC-fulfilling functions, but only subclasses of them. We call the attention of the 
reader to the redundancy of the described synthesis rules: nothing ensures us that 
a newly obtained function will be different from the starting one or from a formerly 
constructed one. 

Example 6: 

Let g(x) = f(x © [1,0,1]), where f(x) is defined through the following 
table. 



Xl 


x 2 


Z3 


/(£) 


5U) 


0 


0 


0 


1 


1 


0 


0 


1 


1 


1 


0 


1 


0 


1 


1 


0 


1 


1 


-1 


-1 


1 


0 


0 


.1 


1 


1 


0 


1 


1 


1 


1 


1 


0 


-1 


-1 


1 


1 


1 


1 


1 



We notice that g(x) = f(x) for all x £ Z\. The reason is that f(x) 
is partially symmetric in x x and x 3 [4, p. 123], that is /([zi, x 2 , x 3 ]) = 
f{[x 3 ,x 2 ,x 1 }) for all [xi, x 2 , * 3 ] € Z\. 
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2.3 Spectral Symmetries of SAC- Fulfilling Functions 

We now introduce the definition of the 50%-dependence of boolean functions with 
respect to one of their input bits. The concept is not new: it was implicitely used 
in the definition of the SAC. 

Definition 2 A function f : Z 2 n — ► {1,-1} (nap. f : — ► {0,1}) " said to 
be 50%-dependent of its i— th input bit £; if and only if any two n— tuples x 
and Xi that differ only in bit i are mapped onto two different values with probability 
1/2 and onto the same value with the same probability of 1/2. Or formally 

£ /(£)•/(£ ©£0 = 0, (28) 

for {1,-1} — valued functions, and 

£ f(x)®f(x® Qi ) = 2 n - 1 (29) 

for {0,1}— valued functions. 

We thus see that a boolean function fulfills the SAC if and only if it is 50%-dependent 
of each of its input bits. 

The following theorem gives a sufficient condition for a function to be 50%- 
dependent of one or more of its input bits. 

Theorem 4 If for some nonzero c^Z^ and for all w 6 

F 2 (w) = F 2 (w®c) (30) 

holds, and if c has Hamming-weight m (c^ = c;, = . . . = c; m = 1, 1 < m < n), then 
f(x) is 50%-dependent of the input bits , £; 3 , . . . ,x im . 

Proof: 

According to the value of the subvector w' = [w^ , tt>i,, . . . , ttf; m ], the 
vector space Z£ can be divided into 2 m disjoint subsets 5 m '. To each 
of these subsets S m i one can uniquely associate the subset S„> where 
v' = [w^, Wi 3 , . . . ,u>i n ], and because of (30) one can write 

£ F*(w) = £ F 2 (w) (31) 

for each choice of w' 6 Z™. Consequently, we have the following set of 
2 m_1 equations: 

£ F 2 {w) = £ F\w) 

tt€5[o,o o| J2€S (lil !] 

£ F*(w) = £ F 2 (w) 

U>6S (0 0fl] u»€S[i i,o] 



£ F 2 (w) = £ F2 (™) 

!£GS[o,i,...,i] ffi€S[i,o o] 
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Summing up the left-hand side terms and the right-hand side terms 
respectively, we get 

£ *"(sO = £ F\n), (32) 

w : Wi l — 0 tu : tu^ =1 

or equivalently 

X: (-ir' --F 2 (m)-o, (33) 

which means that f(x) is 50%-dependent of z; t . For symmetry reasons, 
we get the same result for x,- 3 , . . . , X; m . 
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Figure 2: An SAC-fulfilling function f(x) of 4 bits whose squared Walsh-spectrum 
satisfies (34) 

For the special case 

F 2 (w) = F\w®{l,...,l}) = F 2 (w), (34) 

theorem 4 asserts that /(x) is 50%-dependent of all its input bits, or, in other words, 
that f(x) fulfills the SAC. This is interesting from a practical point of view, because 
the equality (34) is easily noticeable when looking at the squared Walsh-spectrum 
F 2 {w). 
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Example 7: 

The function f{x) : Z\ — - + {1,-1} takes on the following values (from 
the top to the bottom of the truth table): 1,1,1,1,1,-1,-1,1,-1,1,-1,-1,1,- 
1,-1,-1. Fig. 2 shows this function, its Walsh-spectrum and its squared 
Walsh-spectrum. The discrete points where the functions are defined are 
connected by lines to make the diagrams more easily readable. We ob- 
serve a symmetrical form of F 2 (w) according to (34) and f(x) therefore 
fulfills the SAC. 

But (34) is not a necessary condition for a function to fulfill the SAC. If, for example, 
f(x) is such that its squared Walsh- transform satisfies 

F 2 {w) = F 2 (u;©[l,l,l,0 ; ...,0]) (35) 
and F\w) = F 2 (w©[l,l,0,l,...,l]) (36) 

we know, by theorem 4 that f(x) fulfills the SAC (by (35), f(x) is 50%-dependent 
of the bits x x ,x 2 and x 3 , by (36), /(x) is 50%-dependent of xj , x 2 , x 4 , . . . , x n ). The 
following example shows that a function f(x) might be 50%-dependent of its input 
bit Xi even if there is no c € Z^ such that a = 1 and (30) is satisfied for all w £ Z% . 
In other words, the condition of theorem 4 is sufficient but not necessary. 

Example 8: 

F 2 (w) of Fig. 3 satisfies 

F 2 {w) = F 2 {w® [1,0,1,1]) (37) 

for all w £ Z| but no other relation of the form (30). Equation (37) 
implies that f(x) is 50%-dependent of Xi,x 3 and x 4 , but says nothing 
about x 2 . Nonetheless, one can check that f(x) is 50%-dependent of x-i 
as well. 

3 Strict Avalanche Criterion of Higher Order 
3.1 Definitions 

As mentioned in the introduction, the SAC is cryptographically relevant because it 
maximizes the conditional entropy H([f(x l ,. . . ,~x~, . . . , x n )) | f([x x , . . . , x i} . . . , x n })) 
and it assures that the best possible lower-dimensional space approximation of a 
mapping yields an erroneous result in 25% of the cases. We consider now a map- 
ping of n bits onto one bit that fulfills the SAC. If one or more of its input bits 
are kept constant, the question arises whether it is possible to find some accurate 
approximation of this reduced mapping (reduced in the sense that it is defined only 
on a subspace of Z^)- If this is possible, the exhaustive search over the considered 
subspace can be reduced (compared with the exhaustive search over the full space 
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Figure 3: An SAC-fulfilling function that does not satisfy any equation of the form 
F 2 (w) - F 2 (w® [ci,c 2 = l,c 3 ,c 4 ]) but nevertheless is 50%-dependent of the second 
input bit. 

without approximation). In a chosen-plaintext attack, the opponent has the oppor- 
tunity to perform such tests where one or more input bits are kept constant. For 
this reason, we now extend the definition of the SAC in order to cover situations 
like the one just described. 

Let f(x) be a function which maps Z£ onto {0, 1} and which fulfills the SAC. It 
is well-known that f(x) can be written as 

f(x) = X; ■ f iA (x U . . . ,Xi-i,X i+ i,. . . ,X n ) ®X~ ■ fi,o(x x ,. . . ,Xi-i,X i+ i,. . . ,x n ) (38) 

for every i £ {1,2, ... ,n}. The function /,,! (resp. /;, 0 ) is obtained from f(x) by 
keeping the i-th bit of £ constant and equal to 1 (resp. to 0). We now consider the 
50%-dependence of the output of /^j and /; i0 with respect to each of their n — 1 
input bits. 

Definition 3 A function f(x) : Z 2 n — > {0, 1} is said to fulfill the Strict Avalanche 
Criterion of order 1 if and only if 

• f{x) fulfills the SAC, 

• and every function obtained from f(x) by keeping the i-th input bit constant 
and equal to c fulfills the SAC as well (for every i £ {1,2, ...,n}, and for 
c = 0 and c — 1). 
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The definition can be extended to order m, where 1 < m < n — 2, if m input bits 
of f(x) are kept constant. 

Definition 4 .A function f(x) : Z% — > {0, 1} is said to fulfill the Strict Avalanche 
Criterion of order m if and only if 

• f{x) fulfills the SAC of order m — 1, 

• and any function obtained from f{x) by keeping m of its input bits constant 
fulfills the SAC as well (this must be true for any choice of the positions and 
of the values of the m constant bits). 

In what follows, the "classical" SAC will sometimes be called "SAC of order 0". 
Example 9: 

f(x) : Z\ > {0, 1} is defined through the following truth table. 



X\ 


0 


0 


0 


0 


0 


0 


0 


0 


1 


1 


1 


1 


1 


1 


1 


1 1 


x 2 


0 


0 


0 


0 


1 


1 


1 


1 


0 


0 


0 


0 


1 


1 


1 


1 1 


x 3 


0 


0 


1 


1 


0 


0 


1 


1 


0 


0 


1 


1 


0 


0 


1 


1 1 


X A 


0 


1 


0 


1 


0 


1 


0 


1 


0 


1 


0 


1 


0 


1 


0 


1 1 




0 


0 


0 


1 


0 


1 


1 


1 


1 


0 


0 


0 


0 


0 


0 


i 

1 ! 



Keeping the bit x\ equal to 0, we get a function / li0 : Z\ — ► {0>1} 
(left-hand half of truth table of f(x)) which can be checked to fulfill the 
SAC. To check whether f(x) fulfills the SAC of order one, we must go 
further and control all eight functions of three bits obtained by keeping 
each input bit of /(x) fix (equal to zero resp. to one); they are listed in 
the following table. All of them fulfill the SAC. 



yi 


Vi 




/l.O 


/l.l 


/2,Q 




/3,0 


hi 


ho 


hi 


0 


0 


1 

o ! 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


1 \ 


0 


0 


0 


1 


0 


1 


0 


1 


0 


1 


0 


0 


0 


0 


1 


0 


1 


0 


1 


0 


1 


1 


1 


0 


1 


1 


1 


1 


1 


1 


i 


0 


0 , 


0 


0 


1 


0 


1 


0 


1 


0 


l 


0 


1 ; 


1 


0 


0 


0 


0 


0 


0 


0 


l 


1 


0 : 


1 


0 


0 


0 


0 


0 


0 


0 


l 


1 


i ; 


1 


1 


0 


1 


0 


1 


1 


1 



Therefore, f(x) fulfills the SAC of order one. Keeping each pair (xi,xj) 
constant and equal to (0, 0), (0, 1), (1,0) and (1,1) respectively, one gets 
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• 4 = 6 • 4 = 24 functions of 2 bits and each of them fulfills the 



SAC. f(x) thus even satisfies the SAC of order 2. It makes of course 
no sense to consider the SAC of order 3 for this function, since keeping 
three input bits constant yields functions of one variable for which the 
SAC is not defined. 



3.2 Spectral Characterization for SAC of Higher Order 

From example 9, it is clear that a boolean function of n bits can fulfill the SAC of 
order at most n — 2. 

We are interested in a spectral characterization of boolean functions that fulfill 
some SAC of higher order. We again consider f(x) = (-l)'(a) rather than f(x). 
The following equation is quite similar to (38). 

f(x) = Xi-f itl ([xi,. . . ,Xi_x,x i+1 ,. . . ,x n }) + z7-/;,o([zi;. • ■ , > x i+x , . . . ,i„|) (39) 

and can be written for each i £ {l,2,...,n}. The "subfunctions" and /;,o map 
Z^' 1 onto {1, -1}, and all 2n subfunctions /,j must fulfill the SAC of order zero if 
f(x) is to fulfill the SAC of order 1. We introduce 

/i,/(z) = Xi ■ f i ,i{{x l ,...,x l _ 1 ,x i+1 ,...,x n }) and (40) 
fiJl(S-) = X~i ■ fi, 0 ([xi, . . . X;+i,. . . ,x n }) (41) 

and we compute their Walsh-transforms. 

FiAm.) = E x i -ki{{ x u--- ,Xi- u x i+1 ,.., t ,x n }) -(-l)** 

= E • ■ ■ ■ •,*»]) ■ (-ir** w - i ' mi ^ 

x : Xi = l 

With the substitutions 



x = [xi,...,x < _ 1 ,Xi +1 ,...,x n ], x € Z% 1 and (44) 
w' = [wi,...,Wi-i,w i+ i,...,w n ], w G Z 2 n_1 (45) 



we obtain 



hibu.) = E Ai(£')-(-ir ■(-!)-- (46) 

= (-ir ■ F iA (w!), (47) 
where F^i(w') designates the Walsh- transform of fi,\{x'). Similarly, we get 

£,//(s0= E Ao(£')-(-l) s '- =^.o(ai'). (48) 

x : x, =0 
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Because of the linearity of the Walsh-transform and the fact that "+" in expres- 
sion (39) can be considered as integer addition (because always one of both terms 
on the right-hand side of (39) equals zero) we get: 

F(w) = (-I)"' • F iA (w') + F i<0 (w'), foralHG{l,2,...,n.} (49) 
or equivalently 

P (w) _ / + F uo (w') for Wi = 0, , . 

I -Futf) + FM) foru^l. (50) 
Adding, respectively subtracting both equations gives 

Fi, 0 {w!) = \[F(w) + F(w®c t )} (51) 

FM) = \-(-i) Wi -lHw.)-F(yL®su)] (52) 

where £i = [0,0, . . . , 0, c, = 1,0, . . . ,0]. By theorem 1, f(x) will fulfill the SAC of 
order 1 if and only if 

E (-irJ-^o(ffi') = 0 and (53) 

E (-irM!ite') = o (54) 



for all i,j 6 {1,2,..., n} with i ^ j. Replacing Fi, 0 in (53) by its equivalent form 
from (51) gives 

E liF^ + HwQctf-i-ir', =0, j'/i (55) 

or 

\ E iF 2 (m) + F 2 (w®c x )}-(-lf, + 1 - E Fi^Fiwec^-i-lf' =0. (56) 

The first sum in (56) can be written as Ewtzj F 2 (w) ■ (-l) w > and therefore equals 
zero since fulfills the SAC of order 0 (necessary condition for fulfilling the SAC 
of order one). Thus 

E ^(aO-^sie&M-ir'^o, (57) 

which implies 

E F(w)-F(m<B£i)-(-l) a ? =0, (58) 
Inserting (52) in (54) also leads to (58). Theorem 5 follows. 
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Theorem 5 A function f(x) : Z£ — ► {1, -1} fulfills the SAC of order 1 if and 
only if it fulfills the SAG of order zero and 

E F{w)F{w 0 c t ) • (-1P = 0 (59) 
for all i,j G {1,2, . . . ,n} with i j . 

To verify whether a function of n bits fulfills the SAC of order 1 or not, at most 
SAC order 0 S AC order 1 

■"n^ + n ■ (n — 1) checks are therefore required. The spectral characteri- 
zations of the SAC of order 2 and of higher orders can be derived in a similar way 
and are given without proof in the following two theorems. 

Theorem 6 A function f(x) : Z^ — ► {1, -1} fulfills the SAC of order 2 if and 
only if it fulfills the SAC of orders 0 and 1, and 

E %)%$^).(-ip = 0 (60) 

for all distinct i, j, k € {1, 2, . . . , }, and with c^j denoting the n— tuple with a one at 
the i—th and j — th place and zeroes elsewhere. 

Verifying whether the SAC of order 2 is fulfilled or not thus requires at most n + 
n(n-l)+ ^ ^ j (n - 2) checks. 

Theorem 7 A function f(x) : Z 2 n — * {1,-1} fulfills the SAC of order m, 0 < 
m < n — 2, if and only if 

E ^(ffi)^(yL©£,H-iP =o (61) 

for all c, £ with Hamming-weights s = 0, 1, 2, . . . , to and for all k € {1, 2, . . . , n} 
such that the k — th bit of c, is zero. 

Verifying whether the SAC of order m is fulfilled or not requires at most n + n(n — 



^ + [ 2 j ^ ~ ^ + \ 3 J ^ ~ + " ' + { m J ^ ~ ^ che ° kS ' 
Example 10: 

If f(x) is a boolean function of five bits, the following sums have to be 
checked: 

SAC order 0 {£„ 6Z , F 2 (w) ■ (-ip , j G {1,2,..., n}, 



SAC order 1 < 



Ewez- F(w)F{w® [00001]) • (-1)"% j G {1,2,3,4}, 
Z«,ez;Hm.)F(w® [00010]) -(-1)™', j € {1,2,3,5}, 



, Y.^z? Hm.)F{w® [10000]) -(-IP, j£ {2,3,4,5}, 
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n y 


2 3 4 5 6 


no SAC 
SAC order 0 
SAC order 1 
SAC order 2 
SAC order 3 
SAC order 4 


8 192 61408 ? ? 
8 48 3808 ? ? 
- 16 288' ? ? 

32 ? ? 

- 64 ? 

- - 128 



Table 1: Number of functions that fulfill the SAC of some given order 



SAC order 2 



E ffi6 z ? F(w)F(w® [00011]) j €{1,2,3}, 

£ tt6 * ? %0^(ffi© [00101]) -(-l)"', j € {1,2,4}, 

Z m ez;F(w)F(w® [11000]) ■(-!)»>, j € {3,4,5}, 



f Eaezr^aiJFtaie [00111]) -(-ir>, j € {1,2}, 
E^^Waie [oioii]) ■ (-I)-*, j e {1,3}, 



SAC order 3 < 

. L^z;F(w)F(w® [11100]) .(-l)-i, j € {4,5}. 

Exhaustive computer search through functions of 2, 3 and 4 bits allowed to count 
how many boolean functions fulfill the SAC of a given order. The results are listed 
in table 1. One can check that the columns for n = 2, 3 and 4 sum up to 2 2 . Notice 
that no function is counted twice, although in fact each function that fulfills the SAC 
of some order m by definition also fulfills the SAC of orders to — 1, m — 2, . . . , 1, 0. 



3.3 Construction of Functions Fulfilling the SAC of Maxi- 
mum Order 

The method used to count the SAC-fulfilling functions of maximum order n — 2 for 
n = 5 and n — 6 is a constructive one. The definition of the SAC of order m implies 
the following lemma. 

Lemma 4 A boolean function f(x) of n bits fulfills the SAC of order m if and only 
if 

• f(x) fulfills the SAC of order 0, and 

• any function obtained from f(x) by keeping one input bit constant ( equal to 0 
or to 1) fulfills the SAC of order m — 1. 
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This gives rise to the idea of using functions of n — 1 bits that fulfill the SAC of 
order n — 3 as basic elements for the synthesis of functions of n bits that fulfill the 
SAC of order n — 2. 



Example 11: 

The eight functions of two bits that fulfill the SAC of order zero are 
listed below. 



Xi 


x 2 


Ms) 


Ms) 


Ms) 


Ms) 


Ms) 


Ms) 


Ms) 


Ms) 


0 


0 


0 


0 


0 


0 


l 


i 


l 


i 


0 


1 


0 


0 


1 


1 


0 


0 


i 


l 


1 


0 


0 


1 


0 


1 


0 


1 


0 


l 


1 


1 


1 


0 


0 


1 


0 


1 


1 


0 



We can define f(x) : Z\ — {0, 1} as 

f{s) = f{[xi,X2,x 3 \) = xi ■ fi{[x 2 ,x 3 }) + x~[- fj([x2,x 3 ]) (62) 



with i,j € {1,2,..., 8}, i ^ j and we get y ^ J =28 functions f(x); 

sixteen of them can be checked to fulfill the SAC of order 1. We can 
be sure that no other function of three bits satisfies the SAC of order 1, 
since any such function necessarily is decomposable according to (62) 
(by Lemma 4). 

The procedure used in example 11 can be applied to the sixteen functions of three 
bits that fulfill the SAC of order 1, and it yields the 32 functions of four bits that 
fulfill the SAC of order 2, and so on. 

4 Conclusion 

The Strict Avalanche Criterion of order m has been introduced which corresponds 
to a generalized definition of the known SAC. It has been shown that the SAC of 
any order can be easily characterized in the Walsh-domain. This representation 
was used for the construction of further SAC-fulfilling boolean functions. The ap- 
plication of SAC-fulfilling functions for cryptosystem-design has still to be studied. 
An application would be, for instance, to use such functions for the synthesis of 
S-boxes in substitution/permutation (SP) block-ciphers. Since an S-box has many 
inputs and n outputs, n SAC-fulfilling functions should be chosen and combined 
in some adequate manner. For example, statistical dependencies between output 
bits should be avoided. Statistical independencies between input m— tuples and 
the output of boolean functions is known as m— th order correlation-immunity. It 
might be interesting to examine whether there are restrictions in the compatibil- 
ity of correlation-immunity and SAC of order m. Any boolean function that is 
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m— th order correlation-immune [6] has vanishing values of F(w) for all w's with 
Hamming- weigths between one and m [5]. Exhaustive search for functions of three 
and four bits showed that eight functions of three bits as well as ninety-six functions 
of four bits are first-order correlation-immune and fulfill the SAC of order 1 at the 
same time. 
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The linear syndrome (LS) method is elaborated for the purpose of sol- 
ving problems encountered in cryptanalysis, which can be reduced to the fol- 
lowing mathematical setting. Suppose the cryptanalyst has at his hand a 
sufficiently long segment of the binary sequence 



where A is a linear sequence with known feedback polynomial f (x) and X is 
a sequence with unknown or very complicated algebraic structure, but is 
sparse in the sense that, if we denote its signals by x(i) , i > 0 , then 
we shall have 



We call s the error rate of the sequence A in the sequence B, and the job 
of the cryptanalyst is to recover the former from the captured segment of 
the latter. 

One way for tackling this problem is to make use of the ideas of error 
correction, especially when s is comparatively small. In doing this we con- 
sider, for some fixed integer r >, 3, a finite collection of r-nomials of the 
form 



and compute, for every i ). sax! deg g(x! I and all g(x), the syndromes 



B » A + X 



s = prob( x(i> = 1 ) = 1/2 - 6 



0 < t < 1/2 



g (x> = 1 + x + x + 



+ X 




0 ^ k $ r-1 
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b(i) , i > 0 , being the signals of the sequence B. The LS method is 
based on the following 

Lemma 1. II f(x) divides g(x), then 

probt ^g) - x(i)) = 1/2 + (1 - 2s) M /2. (1) 

Proof. Denote the signals of A by a(i), i >,0 . Since f (x) I g(x), we 



have 



r-i 

- 2. b(i - i» + i*) 



V 

-^.afi-ii+ij.) ♦ ^2_x(i-i, + i fr ) 
f.o * P p„ * r 

= 2. x(i - i,+ l.) . 

Thus we see ^^S) » x(i) if and only if an even number of the signals 

x(i - i^l x(i - i^+ ij^) , x(i - i^J x(i - i^+ if.,) 

are " 1 " , and hence we have 

probl QT,(g) = x(i)) = S. ct s p (l -s) r " P '' 
= 1/2 + d-2s) r "' /2 

- 1/2 + (2 £ ) r "'/2. 

This simple lemma suggests that it will be wise for the cryptanalyst to 
behave as follows. Choose the r-nomials g(x) to be multiples of the given 
polynomial f(x), take into consideration 2m + 1 of the syndromes provided 
by these r-nomials , and revise the signals of the sequence B in accordance 
with the following rule of majority logic decision. 

b(i) +■ 1, if at least m + 1 syndromes are "1", 

b(i) *. b 1 (i) = ■ 

b(i) , if otherwise, 

in the hope that the error rate s' of the sequence A in the resulting sequ- 
ence 8" will be less than the initial error rate s. 
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In order to see, under which conditions this will be the case, we write 

r-t 

P = p(s) = (1 - (1 - 2s) 1/2. q = 1 - p, 

and prove the following 

Theorem 1. If the number of syndromes used in matting the majority logic 
decision is n = 2m + 1 , then the error rate of the sequence A in the sequen- 
ce B ' which results from one round of revision will be 

s' = T m = p - (1- 2p! 2_ C* k „ (pq)" . (2) 

*=« 

Proof. It is easy to see from the revision algorithm, that b'(i) = a(i) 
if and only if at least m + 1 syndrome values are different from x(i). But. 
by lemma 1, the probability for a given syndrome value to be different from 
x(i) is p, so we have 

s . = T ^ = p ». + c . p «i q + . . . + c: p- q* . 

Further, we have 

T„= T„tp + q) 

... + C n p q 
+ p q +...+C R p q" ♦ C„ p q 



= ( P' rn+ c l*P n <* + •-• + C^p"""q"' )(p + q) + C~ p-' q 1 "' 
" ( P + C .«P * + ... + C„n q ) + C p q + C„ p q 



ml 



But 



T ~>r «=„♦»- c ™>p * + c*. p q . 



so we have the following recursive relation 

T^C T „- (1 ~ 2p)(£jpqf . 

which, together with T 0 = p , gives rise to (2). 
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Now, it is easy to see from (2) Chat, s being fixed, S' decreases as m 
increases. Furthermore, since 

T„» 1/2 - (2 t ) M > 1/2 - t = s 

and 

lim T m = p - (1 - 2p) JL C* (pq)** 

= p - (1 - 2p> ( (1 - 4pq) i - l)/2 

= p - (1 - 2p)((l - 2pf' - l)/2 = 0 , 

we see that for each possible initial error rate s there is a critical num- 
ber mc = mc(s) , such that s' will be less than s if and only if m > mc. The 
following is a table of critical numbers computed for practically tractable 
values of s, for the case r = 3, where the LS method works the best. 





s 


mc 


0 . 


22 


3 


0. 


28 


4 


0 . 


32 


5 


0, 


,35 


6 


0. 


,37 


7 


0 . 


.38 


8 


0 


. 40 


9 



(II! Iterated revision and its convergence 

The above analysis shows also, that the error rate of the sequence A can 
be made arbitrarily small, when we make use of a large enough number of syn- 
dromes. But such an approach is quite impractical in view of the difficulty 
in finding the necessary collection of r-nomials , divisible by f (x) and of 
degrees not too large. A better alternative is to fix the number of synd- 
romes but apply the revision algorithm iteratedly to the segment under con- 
sideration , and the problem is that the convergence of such an iterative re- 
vision procedure has to be considered. 
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In order to settle the problem just raised, we consider the polynomial 

T m (x> = x - (1 -2x) X C* (x(l - xl)*" 

and prove a couple of simple lemmas about the function p(s) mentioned before 
as well as about the function 

s ' = f (x) = T m (p(s) ) . 

Lemma 2. The function p(s) is increasing on ( 0 , 1/2 ) and maps this in- 
terval onto itself. 

Proof. In fact, we have 

P" (s) = (r - 1) (1 - 2s) r *> 0 

and 

P(0) = 0 , p(l/2] = 1/2 , 

as expected. 

Lemma 3. The derivative of the polynomial T m (x) is 

T'„(x) = (m + llcfjxd - x))"\ 
Proof. First, as we have noticed before 

x = (1 - 2x> X C* (x(l - x)) *' , 
whenever Ixl < 1. So we have 

T m (x) = x - (1 - 2x) X C*^(x(l - x)) 

= (1 - 2x) X c£„(x(l - x) )**' 

= C,^^ ""*' ( mod x"*") 

and hence 



TV, (x) = (m + DC^x." { mod x 
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Further, we have the functional relation 

T m (l - x) ■ 1 - x + (1 - 2x) 2. CjJ^txd - x)) 
- 1 - T„(x> . 
By differentiation on both sides we have 

T^(x) = (m + llC^il - xl" ( mod (1 - x)"**' ) 
But Ti, (x) is a polynomial of degree 2m, so we conclude that 

(x) = (m + llQxd - x))"" . 
Lemma 4. There is a number C< 6 ( o , 1/2 ) such that 
f is) < s , if 0 < s < « 

and 

f(s)>s , if Di ( s <'./2. 
Proof. Consider the auxiliary function 

w(s) = f (s) - s . 

We see from 

ptO) = o , p(l/2) = 1/2 
and the expression for T M (x) that 

w(0) = w(l/2) = 0 . (3) 

Further, we see from 

w' (s) = T^, (p(s) )p* (s) - 1 

and 

T* (0) = 0 , p' (1/2) = 0 
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that 

W (0) = w' (1/2) = -1 (4) 

(3) and (4) taken together imply that w(s) has at least one zero in the in- 
terval ( 0 , 1/2 ) . On the other hand, if w(s) has in this interval two or 
more zeroes, then as can be easily seen from (3) and the mean value theorem 
of differential calculus, w' ' (s) , too, will have at least two zeroes in it. 
But by direct manipulation we have 

w" (s) - (r - 1) (1 - 2s) r "' [ (r - 1 ) 1 ( p ( s ) ) ( 1 - 2s T - 2(r -2)T' m (p(s) ) ] 

- (r - - 2s) r "*C(r - 1)T^' (p(s))(l - 2p<s)> - 2(r - 2)T m ' (p(s) >] 

- (r - 1) (1 - 2s) r " } K(p(s> > , 

where 

K(x) = (m + DC'jxd - x)P (ax 1 - ax + b) 

and 

a - 4m(r - 1) + 2(r - 2) , b - m(r - 1), 

so we see, by noticing the statement of lemma 2, that w' ' (s) has only one 
zero 0 in the interval (0 , 1/2) , satisfying 

x 

p<|3) - 1/2 - (1 - 4b/a) i /2 . 

This conclusion means that the function wis) has only one zero in (0 , 1/2). 
If we denote this unique zero of w(s) by <* , then, by returning to (3) and 

(4) again, we see w(s) is negative on (0 , <* ) and positive on ( , 1/2). 
But this is just what we wanted to prove. 

How we are in a position to prove the convergence theorem for the proce- 
dure of iterated revision. 

Theorem 2. If we denote by s the error rate o£ the sequence A in the sequ- 
ence, which results from the i-th round of revision, then the number sequence 
( S[i will decrease to 0 if m > mc , and increase to 1/2 if m < mc. 

Proof. Suppose m > mc. Then we have by the definition of -mc 
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S | = f ( Sj < 3 . . 

So we see from lem.ua 4 that 

s, < s. < <* . 
By applying the same lemma to s we have 

s x = f (Si) < s, < ert . 
By going along with the same argument we have 

c* > s = s . > s,> ... > s ; > ... > 0, 

so we must have 

ct > lim s ; = s*>. 0 , 
£-*•* 

and s, being a zero of the function w(s) met in the proof of lemma 4, can 
be nothing else than 0. 

The case m < mc, where iterated revision will lead to disastrous garble, 
can be discussed in exactly the same manner. 

(Ill) An example of applying the LS method 

The above analysis of the LS method is by no means rigorous in view of 
the assumptions made tacitly in computing the probabilities. For a really 
convincing justification of this method we, in the last run, have to resort 
to its usefulness in solving concrete problems. Practical problems encoun- 
tered in cryptanalysis may not yield to the LS method immediately, but can 
in some cases be reduced to a suitable form, so as to make the method appli- 
cable. The following example , though artificial in nature, will be sufficient 
as an illustration for what we say here. 

In the laboratory of the DCS-center people produced a stream X of digi- 
tal speech by the method of code excited linear prediction followed by vec- 
tor quantization and turned it, as an experiment, into a stream 

Y = A + X 
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of incomprehensible enciphered speech, by the help of a linear sequence A 
with generating polynomial 

f (x) - 1 + x* + . 

Mow, suppose the cryptanalyst knows the polynomial f (x) , but has no 
concept about how to make use of the specific properties of the stream X 
itself, then for the purpose of recovering; it he has to test one after an- 

3f 

other the 2 - 1 possible initial states of A, a task far beyond the reach 
of today's technique. 

He show.it is the specific structure of the plaintext stream X. that 
makes the stream Y easily breakable. In fact, as a result of the slow va- 
riation nature of the speech data flow and the imprudent way of encoding 
it, there exists a sort of betraying correlation between the frames 

F. , F, F ; , . . . 

of X . A closer examination shows that if we denote the number of " 1 "s 
in the frame F by w(F) and denote the frame length by 1, then for most of 
the adjacent frame pairs Fj, , F;„ we have 

w(F; + F [tl ) < 1/4 . 

And here is the clue we need. In fact, if the cryptanalyst proves to be 
clever enough to think of going from the stream Y over to the transformed 
stream 

Y ' = Y + LY = ( A +LA) + (X + LX) = A ' + X ' , 

L being the 1-step shift to the left, then he will find himself in the ty- 
pical situation discussed in the present paper, where A' is linear with 
the same generating polynomial f (x) as A, while X' is sparse with s = 1/4 
Experimentation shows, that by making use of the 9 syndromes provided by 
the trinomials 

1 -x* + x" . 1 + x' + x 7t , 1 - x' k + x'* 
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four rounds of iterated revision applied to Y ' suffice to recover A ' from 
a captured segment of length n < 1500, and after that the plaintext X can 

be determined easily by 

X = Y + ( I + L f* A'. 

A tape record has been prepared by the same lab for this simple, but 
instructive instance of successful codebreaking . This example reminds us, 
in particular , that in order to guarantee safety in communication, not on- 
ly the algorithm for generating the enciphering signals, but also the da- 
ta flow to be enciphered, as well as Che problem about the suitable way 
of encoding and enciphering, should be considered carefully. 
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Extended Abstract. 

Binary de Bruijn sequences of period 2 n bits have the property that all 2 n 
distinct n-tuples occur once per period. To generate such a sequence with an n-stage 
shift-register requires the use of nonlinear feedback. These properties suggest that de 
Bruijn sequences may be useful in stream ciphers. However, any binary sequence can 
be generated using a linear-feedback shift register (LFSR) of sufficient length. Thus, 
the linear complexity of a sequence, defined as the length of the shortest LFSR which 
generates it, is often used as a measure of the unpredictability of the sequence. This is 
a useful measure, since a well-known algorithm[l] can be used to successfully predict 
all bits of any sequence with linear complexity C from a knowledge of 2C bits. As an 
example, an m- sequence of period 2 n -1 has linear complexity C=n, which clearly 
indicates that m-sequences are highly predictable. 

Now, the widely used definition of linear complexity stated above is open 
to different interpretations. We distinguish here between the periodic linear complexity 
(PLC) - the length of the shortest LFSR which generates the given sequence and then 
repeats it cyclically - and the aperiodic linear complexity (ALC) - the length of the 
shortest LFSR which generates the given sequence followed by any arbitrary sequence 
of bits. This distinction is not made in the literature on de Bruijn sequences, but it has 
important practical consequences. In a stream cipher, it is clearly undesirable for 
keystream sequences to be allowed to repeat. Consequently, no more than P bits 
(where P is the sequence period) will ever be used, which implies that it is the ALC, 
not the PLC, which is of real concern. Unfortunately, all of the published results on 
the linear complexity of de Bruijn sequences ( e.g [2] and [3] ) relate only to the PLC 
not the ALC. The research described here goes some way towards addressing this 
imbalance. 

Having decided that the ALC is the most useful measure of 
unpredictability, we note however that a large value of the ALC of an entire sequence 
(one period) is not , by itself, a sufficient condition for high randomness. We also 
require the ALC of all sub-sequences of the given sequence to be as large as possible. 
For a given sequence of P bits, we are therefore interested in the ALC of the first k bits 
of the sequence, as a function of k ( 1 < k < P ). The importance of this function was 
identified by Rueppel [4], who referred to it as the linear complexity profile ( LCP ) of 
the sequence. Note that, in general, the LCP of a sequence depends on the starting point 
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within the sequence. Thus, if we consider ail P cyclic shifts of any given sequence of P 
bits, some cyclic shifts may have notably better LCPs than others. 

Although statistical results on the LCP of random binary sequences 
have been obtained [4], these authors are unaware of any published results on the LCPs 
of any class of finite deterministic sequences. The LCPs of de Bruijn sequences were 
therefore investigated and the results of this study are summarized below. For 
comparison, it is interesting to note that the expected value of the LCP of a random 
binary sequence (with equiprobable ones and zeros), as a function of the sub-sequence 
length k, is given by [4] :- 

E[C] = k/2 + [(4+R 2 (k)]/18 - 2"k(k/3 + 2/9), (1) 

which rapidly approaches k/2 as k increases. (Here, R2QO denotes the remainder when 
k is divided by 2). On the basis of this result and other observations, Rueppel[4] 
proposed that a "good random sequence" for cryptographic use should have a LCP 
which closely, but irregularly, follows the k/2 line. Also note that a linear complexity of 
k/2 for a sub-sequence of length k is sufficient to foil an attack based on the Beriekamp- 
Massey algorithmfl]. 

Now consider the aperiodic LCP of a de Bruijn sequence of period 
2 n . As noted earlier, the LCP depends on the cyclic shift of the sequence under 
consideration. However, if we take the average value of the LCP of a de Bruijn 
sequence over all 2 n cyclic shifts, it is readily seen that for sub-sequence lengths k < n, 
equal numbers of all 2^ possible sub-sequences have been included in the averaging 
process. For such k, the average LCP is therefore identical to the expected value for 
random sequences, since the latter is also an ensemble average over all choices of sub- 
sequence of length k. Hence, we have the following : 

Theorem : For k < n, the average LCP of any de Bruijn sequence of length 2 n , over all 
cyclic shifts, is identical to the average LCP for random sequences given by eqn (1). 

For k > n, when all cyclic shifts of a fixed de Bruijn sequence are 
considered, only a subset of 2 n of the possible 2^ k-bit sub-sequences occur. Which of 
the 2^ possible sub-sequences occur depends on the de Bruijn sequence being 
considered. For this case, it has proved difficult to derive analytical results concerning 
the LCP. However, extensive numerical investigations have been carried out on the sets 
of de Bruijn sequences generated by Fredricksen's 'cross-join' algorithm[5]. Although 
this algorithm (in common with all other practical algorithms) generates only subsets of 
de Bruijn sequences, these subsets are large, containing 2^ n -5 0 r 2^-6 sequences of 
length 2 n , for odd and even n, respectively. Furthermore, an implementation in the form 
of a programmable nonlinear-feedback shift-register can be derived from this 
algorithm[6], making it an attractive choice for applications. The LCP investigations 
were carried out over all de Bruijn sequences generated by this algorithm for all n < 12. 

Consider again the average LCP over all cyclic shifts of a given de 
Bruijn sequence. As a measure of the non-randomness of a sequence, we can take the 
difference between this average LCP and the ensemble average for random sequences in 
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eqn(l). For each of the de Bruijn sequences investigated, die fluctuations themselves 
appear to be random, and show no tendency to increase or decrease as a function of the 
sub-sequence length k. Typical results for de Bruijn sequences of length 512 and 4096 
are shown in Figs.l and 2. Of course the fluctuations are identically zero for k < n, as 
predicted by the previous Theorem, although this is clearly visible only in Fig.l due to 
the scale. It is also apparent that the magnitude of the fluctuations decreases, albeit 
slowly, as the de Bruijn sequence length is increased 

Now, although the average LCP over all cyclic shifts of a sequence is 
of some interest for comparison with the ensemble average in eqn(l), an issue of greater 
practical concern is the LCP behaviour of fixed cyclic shifts of a sequence. In particular, 
one would like to know if there are any 'bad' cyclic shifts of a de Bruijn sequence which 
ought to be avoided. The results of our investigations suggest that this question can be 
answered in the negative, at least for all the de Bruijn sequences generated by 
Fridricksen's 'cross-join' algorithm for all n < 12. The LCPs of these de Bruijn 
sequences are relatively insensitive to the choice of cyclic shift and all appear to satisfy 
Rueppel's criterion for closely, but irregularly, following the k/2 line. A typical example 
of the LCP of a de Bruijn sequence of length 256 is shown in Fig.3. In this case, the 
cyclic shift chosen was that beginning with the all-zeros n-tuple. The steps in the LCP 
are all of the order of n or less in magnitude; indeed, the inevitable step associated with 
the all-zeros n-tuple is the largest present. This result appears to hold in general. 

To illustrate the insensitivity of the LCP to the choice of cyclic shift of 
a de Bruijn sequence, Fig.4 shows typical results for the average, maximum and 
minimum values of the LCP, over all cyclic shifts of a 512-bit de Bruijn sequence. As 
expected, the average LCP is indistinguishable from the k/2 line. An interesting feature, 
which appears to hold in general, is that the maxima and minima of the LCP show a 
remarkable symmetry about its average value. More importantly, the peak deviation 
from the average (and, in effect, from the k/2 line) is small relative to the sequence 
length, and shows no tendency to increase or decrease as a function of the sub-sequence 
length k. 
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Fig.l : Fluctuations of the average 
LCP (over all cyclic shifts) of a 512-bit 
de Bruijn sequence from the expected 
value for random sequences. 




Fig.2 : As Fig.l, but for a de Bruijn sequence 
of length 4096. 
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THE APPLICATION OF SMART CARDS FOR RSA DIGITAL 

SIGNATURES IN A NETWORK COMPRISING BOTH 
INTERACTIVE AND STORE-AND-FORWARD FACILITIES 



J.R. Sherwood and V.A. Gallo 
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Brighton, UK 

Abstract. Smart card technology is relatively new but offers an economic and convenient 
solution to the problems of user-authentication. This paper discusses the requirements 
for user authentication and digital signature in complex networks and examines the 
problems of integrating a smart-card sub-system. It proposes some design approaches 
for providing a useful lifetime for a smart card and for handling the computations 
required for 512-bit RSA digital signatures. 



Environment 

Many data communications networks are known to be based on interactive working 
between a user on a workstation and a remote central application on a mainframe host. 
Many other networks are based on store-and-forward facilities for message or file 
transfer using the mail-box principle. Increasingly, large corporate networks are 
offering both of these facilities in an integrated data communications network. At the 
same time, network services providers and users are becoming more conscious of the 
need to implement security in these environments. 



Introduction 

This paper addresses the problems of security sub-system design in a network 
environment of some complexity. It outlines a design approach which is suited to both 
interactive and store-and-forward working, bringing together a wide range of 
cryptographic techniques and system components. The paper explores some of the 
design considerations that are relevant to the development of an integrated solution for 
system security and provides a framework within which various cryptographic 
techniques can be interwoven. In particular, it discusses the applicability of each 
technique and examines the contribution that each can make to the overall design. 

S. Goldwasser(Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 484-496, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 



485 



Smart cards are relatively new and as yet there are few systems which exploit their 
potential as a user token providing an automated logon protocol. This is one area that 
the paper explores in some detail; we develop some existing ideas on the use of a 
one-way function to encrypt a random challenge for constructing a logon protocol and 
in particular some techniques are described for ensuring attack-resistance over the 
expected lifetime of the smart-card token. 



Security Requirements 

The type of network under consideration here comprises both interactive and 
store-and-forward mailbox facilities, based on personal computer workstations 
connected to mainframe computers. 

Broadly speaking, the security requirements can be summarised as follows: - 



1. Access control over local workstations and their applications. 



2. Access control over remote hosts and their applications. 



3. Privacy of communications over data networks. 



4. Integrity checks on the contents of communications ( message 
authentication). 



5. Proof of message origin. 

To achieve these requirements a security sub-system is required which integrates into 
all possible configurations of the network, and which is applicable to both 
store-and-forward and interactive environments. It must also be capable of integrating 
successfully with existing security sub-systems, such as that provided in IBM SNA 
networks ^ involving the use of the SNA encrypt/decrypt facility, and such as the 
access control facilities of RACF ' 3 ' and ACF2 ' 4 '' Where SNA encrypt/decrypt is 
employed, the host mainframes are either equipped with an IBM 3848 Cryptographic 
Unit ' 5 ' or with the IBM Programmed Cryptographic Facility Program Product ' 6 ' with 
ACF/VTAM l7] - 
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System Requirements 

The system component requirements for constructing a suitable security sub-system are 
as follows: 



1. User tokens 

2. A suitable collection of cryptographic algorithms for 
implementing personal authentication, data encryption, message 
authentication and digital signature. 

3. A cryptographic key management architecture which provides 
both security and manageability . 

4. Cryptographic units ( possibly with tamper resistance ^) or 
cryptographic programs. 



Additionally, the security sub-system should not unduly affect response times for 
network users nor should it present an unfriendly and complex user interface. 



Security Sub-System Overview 

The security sub-system architecture proposed here uses a smart card as the user token. 
This provides the basic mechanism for access control, and also stores user-specific 
cryptographic keys. Local access control is effected by PIN-protection of the smart 
card. Hence the user needs to possess both the card and knowledge of the PIN. Remote 
access control is achieved by means of a challenge-response protocol designed to be 
thoroughly resistant to cryptanalytic attack for the entire lifetime of the card. For the 
encryption of data and the generation of message authentication codes, symmetrical 
encryption algorithms such as DES ' 10 ' are used. Digital signatures are generated 
using the RSA asymmetric public key algorithm ' 12 ', and each authorised signatory 
carries a personal RSA key pair as part of the data on the smart card user token ' 13 '. 
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Top-level key management protocols are also implemented using RSA, which has the 
advantage of enabling a fully automated and therefore very manageable key distribution 
scheme. ' 14 '" To maintain acceptable response times the cryptographic units and smart 
card readers are all equipped with a digital signal processor providing "fast RSA" 
processing facilities. ' 15 ' 

To overcome the problems of mutual trust between a smart card and an intelligent 
cryptographic smart card reader, one of two approaches is possible. The card and the 
reader can mutually authenticate one another using a zero-knowledge proof protocol 
such as Fiat-Shamir, ' 16 ' ' 17 '' or the card can delegate some of the heavier computations 
to the card reader without disclosing its secret information. ' 18 ' 



System Detail 

Local Access Control 

Every workstation is provided with an integral smart card reader, into which an 
authorised user inserts a smart card. The smart card itself is only activated for further 
functions if the correct user PIN is supplied. The user is prompted by the local 
application to supply this PIN, which is then submitted to the smart card for validation. 
If the PIN validation is successful, the card may then enter into a mutual authentication 
process with the smart card reader using the Fiat-Shamir protocol. The card reader is 
equipped with a digital signal processor which performs all cryptographic processing 
in that unit. At this stage, the system has achieved the following authentication: 

/. User to smart card 



2. Smart card to reader 



3. Reader to smart card 



By implication, the user has also been authenticated to the reader, and hence to the 
application which is driving it. The smart card now provides the data required for 
remote access control and for digital signature using RSA. 
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Also stored on the smart card is a user privileges profile which is sent to the application 
and which controls the range of application facilities to which the user is to be granted 
access. If the privileges profile data is too great to store on the card it can be stored 
encrypted on the workstation database under a secret DES storage key which is generated 
and held on the card. 

Remote Access Control 

One-time passwords are used for logons which involve plaintext transmission across the 
network. This prevents an eavesdropper from capturing a useful password. For 
interactive working a challenge-response protocol ' 19 ' is used to authenticate the user 
to a remote host and its applications. If RACF or ACF2 are in use, these packages 
provide "exits" via which one-time password sub-systems can be interfaced. The 
one-time password is checked at the host and if valid, the user is granted access. In 
challenge-response mode this is achieved by the host security module generating a 
128-bit random number, which is sent across the network to the workstation and from 
there to the smart card. A one-way function is now applied to the challenge to obtain 
the response. The smart card encrypts the random number under a secret user (DES) 
key which we shall call KU. The 128-bit ciphertext output from DES ECB mode [n ' 
is then subjected to another algorithm which selects individual bits and combines them 
to form a 96-bit output. The mask for bit selection constitutes the user key for this 
selection algorithm. We shall call this key KS. There are 96 bits to be selected from 
128. Hence the keyspace for KS is 128 C 9 6 or 2 218 . 

The 96-bit output from the selection algorithm is transmitted back across the network 
to the host, where it is processed by the host security module to verify it against the 
issued challenge. 

Considering the possible attacks on this challenge-response system there are two possible 
threats - firstly that an opponent will collect transmitted challenge-response pairs to 
build a dictionary and secondly that the opponent will construct a DES engine to perform 
a brute-force attack on KU by using known plain text/ciphertext pairs. 

The dictionary attack must be judged against the expected number of logons over the 
required lifetime of the smart card. Assuming an average of one logon per day for a 
period of three years this will give an opponent 365 x 3 = 1095 matching 
challenge-response pairs. This is reasonable since it includes all weekends and holidays 
and will hence allow for multiple logons on some days. For convenience we approximate 
this value to 1024 = 2 10 ' We now examine the probability of the opponent having the 
necessary dictionary entry for a given challenge at the end of this three year period. 
Meyer and Matyas have shown that the probability (p) of finding a correct look-up 
table entry is :- 
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p = 1 - e ' mn/N ; n/2N <1 

where N = total number of possible response values 

n = number of challenge-response pairs available to an opponent 
m = number of exhaustive trials to obtain equivalent values of the 
keys that will generate the same output. 

If we examine the use of 64-bit DES alone and for the present time neglect the effect 
of the selection algorithm, this gives the following values:- 



N 


.,64 


n 


210 


m = 


256 


n/2N = 


2"55 


mn/N = 2 2 


= 4 


p = 1 - e" 4 


= 0.98 



This is a totally unacceptable probability, but if we now include the selection component 
the picture changes dramatically. Any one of the possible 2 s6 DES keys could have 
been used to generate the final 96-bit output. This means that on any trial it will 
always be possible to find a pair of equivalent values of KU and KS which generate 
the observed output, hence: 

m = 1 
N = 2 96 
n/2N = 2" 87 

Hence mn/N = 2" 86 

and p is negligible 

If we were to extend the required lifetime of the card to (say) 2 20 logons it makes no 
substantial impact on the value of p, and hence we have a scheme that is for practical 
purposes completely resistant to a dictionary-style attack. 

Now let us examine the brute-force attack on KU and KS. Since a given output is 
possible with all values of KU we have completely decoupled the DES process from 
any direct attack on sets of matched plaintext/ciphertext. The opponent must search 
every value of KS for each and every value of KU, making a complete search of 2 m ' 
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We estimate that it is feasible to build a DES engine that would work at 10 tests per 
second and would perform an average DES key search in one day. Assuming that we 
employ the same engine to search for KS and that the selection algorithm operations 
are 100 times faster than DES operations, a complete search of KS and KU would take 
2 212 days, which of course is infeasible. 

The incorporation of the selection algorithm extends the resistance to attack well beyond 
the resources of an opponent and adds virtually nothing to the cost of implementation. 
It could be used equally effectively with a non-DES preprocessor, thus extending the 
scope of its applications to organisations which are prohibited the use of DES. 

Host-End Management for Remote Access Control 

Every issued smart card has a matching user record on the host database. When an 
authentication request is received at the host, the appropriate record is retrieved and 
sent into the host security module. The secret part of the record is stored on the host 
database encrypted under a storage DES key, and storage keys are changed regularly 
to reduce their exposure to attack. The record is processed and then written back to 
the database encrypted under the latest storage key. A dummy request is also provided 
to enable the host application to refresh infrequently used records which would otherwise 
fall out-of-date with the storage key window. 

A new "session" starts with a request for a random number challenge. The host security 
module provides a session sequence number and sets up a temporary store of session 
variables, including the values of KS, KU and the random challenge. On receipt of 
the encrypted challenge the host security module uses the session sequence number to 
index the appropriate block of session variables and hence verify the response. 

If the remote logon is not interactive but forms part of a batch submission, the same 
user key is used to generate the next one-time password in a psuedo random sequence. 
' 21 ' This sequence is tracked at the host-end and the password is validated when the 
batch job is processed. Password windows are used to improve system resilience, and 
database management is as before. 

Additional resilience is incorporated by providing dual host security modules. The units 
each have their own unique RSA key pair and the public keys are used to organise 
encrypted, certified replication of storage DES keys between the two units via the host 
application. 
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Issue Authority 

All smart cards for use in the network are issued at one central point. They are loaded 
with keys and PINs and then mailed to users. PINs are secretly printed inside special 
envelopes and mailed to users under separate cover. The card is loaded with a newly 
generated RSA key pair (512-bit keylength is used), the public key of which is certified 
by means of a digital signature made with an issue authority secret RSA key. ' 22 ' The 
certified public key is entered into the system directory and is available for reference 
by all other users. The card-issue function and directory function are performed on a 
PC acting as a key distribution centre (KDC). The KDC is available to all network 
users as a central reference library for certified public keys. Each PC or host application 
can obtain these via the network, and can store local directories of frequently used 
keys. Every system node also has a copy of the issue authority public key with which 
the certified public keys can be authenticated at any time by validating the issue 
authority RSA digital signature. Hence only authorised users' public keys can be used. 

Privacy of Communications 

In addition to the user RSA keys held on the smart cards, each cryptographic unit in 
the system has a unique RSA key pair, issued to the unit in certified form just as for 
the smart cards, and also stored on the public system directory. It is therefore possible 
to have the following relationships: - 



1. User to user 



2. User to application (and its crypto unit) 



3. Application to application (and their crypto units) 

When messages are to be encrypted for transmission to protect against eavesdropping, 
a data key (DES) is generated at the originating user or application inside the 
cryptographic unit. For duplex communications different data keys are used for each 
direction. A DES key is encrypted under the RSA public key of the destination unit 
and signed with the RSA secret key of the source. The encrypted, signed data key is 
sent with the message and at the destination it is recovered by using the public key of 
the source to validate the signature, and the secret key of the destination to decrypt 
the data key. All RSA processing is performed on fast RSA processors (such as a digital 
signal processor) to maintain acceptable response times. 
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The Texas Instruments TMS 32010 DSP with suitable software can provide a 512-bit 
RSA secret key operation in approximately 2.8 seconds. This can be substantially 
improved with the TMS 32020 to approximately 2 seconds and with the TMS 320C25 
to approximately 800 milliseconds. We estimate that using two Motorola 56000 DSPs 
an execution time of less than 50 milliseconds can be achieved. 

Key Management Protocol 

The transmission of keys requires a suitable protocol at the application level. This 
protocol must exchange messages, the contents of which are encrypted keys, unit 
identities, key counters and other control information. One such protocol suitable for 
this purpose is the group of cryptographic service messages (CSMs) described in ANSI 
X9.17. ' 23 ' The CSMs defined in the standard accommodate only single and double 
length DES keys, with no provision being made for RSA keys or RSA-encrypted DES 
keys. However, it is not difficult to extend the CSM set to include new field-tags and 
new field definitions that can handle these RSA blocks; proprietary implementations 
of ANSI X9.17 CSM protocol do make these facilities available, but of course their 
precise definition does not conform to a standard since non exists. 

The key management technique described above is applicable to both interactive and 
store-and-forward networks. However, in the case of store-and-forward mailbox 
systems, it may be a function of the mail server to broadcast messages to all system 
users or to closed user groups. In this case the mail server is equipped with its own 
cryptographic unit which performs only key translation services. Broadcast messages 
have their data key encrypted by the source under the RSA public key of the mail 
server, and the cryptographic unit on the server then translates these key blocks under 
the RSA public key of all authorised recipients, placing the translated key block into 
the mailbox of each. The data key remains unchanged and so the key translation unit 
does not need to process the message itself. 

Message Authentication 

Message contents are authenticated by generating at source and validating at destination 
a message authentication code (MAC). This can be of the type defined in ANSI X9.9 
' 24 ' using DES. The data authentication key is carried in exactly the same way as 
described above for data encryption keys, using RSA for authenticating both source 
and destination, and using a key translation server for broadcast messages. 
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Digital Signatures 

When a message is sent encrypted and/or authenticated as described above the data keys 
are already signed using RSA. However, for additional security the MAC itself is 
signed by the source RSA secret key, thus providing a digital signature that can be 
validated using the source RSA public key from the system directory. 

The RSA secret key which is used to generate the digital signature belongs either to an 
application or to a user. In the case of it being the property of an application it is 
stored securely in a tamper-resistant crypto-unit which is attached to the host machine. 
However, where the RSA key belongs to a user it is stored in the personal smart card 
and is carried around by that user. 

Smart card technology does not at present support 512-bit RSA processing to meet the 
response time requirements, and so this must be performed on the digital signal processor 
in the smart card reader. To achieve this the smart card must give up its secret RSA 
key to the reader, which is why the mutual authentication process between these two 
components is so important. Additionally, the reader can be made to be tamper resistant 
' 8 ' ' 9 ' to protect secret keys during their residence in the unit. 

Alternatively, if the speeding-up techniques discussed by Matsumoto, Kato and Imai 

[181 

can be successfully implemented to achieve acceptable response times there is no 
need for the Fiat-Shamir mutual authentication protocol. In this case the smart card 
will not surrender its secret information to the reader and this latter device need not 
be either trusted or tamper resistant 

Integration with IBM SNA Environments 

The IBM SNA encrypt/decrypt facilities do not include RSA key management. 
However, on each IBM host an additional cryptographic unit with fast RSA processing 
capability is provided so that master DES keys can be moved around the network 
between hosts. PCs are equipped with plug-in cryptographic boards that emulate IBM 
3848 capability and also provide the additional RSA key management layer. The 
applications on the IBM hosts are responsible for organising the automated management 
of master keys under the RSA layer, using a protocol similar to that described above 
using ANSI X9.17 CSMs. (23i 
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Integration with non-IBM Interactive Environments 

IBM SNA is somewhat unique in its provision of an encrypt/decrypt feature within the 
network architecture. Other proprietary network architectures leave cryptography 
largely to the implementers of the applications. The approach described in this paper 
is ideally suited to this latter environment, since the application drives both the key 
management protocols and the service requests to the presentation layer for 
encryption/decryption facilities. Integration into these environments therefore poses 
no substantial problems, since a standard interface can be defined which requires the 
application to incorporate only the necessary message handler for requesting and 
receiving cryptographic services. 



Summary 

The system solution described here provides a multi-layer security architecture using 
unified key management and multi-purpose system components to support a wide range 
of environments and can be integrated with both IBM-style and other proprietary 
security sub-systems. User participation is limited to carrying a secure token and 
supplying a PIN, after which the layered authentication processes are automated. System 
response time is maintained at acceptable levels for the user, and system management 
is eased by the use of automated techniques. Above all an elegant and highly secure 
end-to-end solution is created. 
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Abstract This paper deals with and gives some solutions to the problem of how a 
small device such as a smart card can efficiently execute secret computations using 
computing power of auxiliary devices like (banking-, telephone-, . . .) terminals which 
are not necessarily trusted. One of the solutions shows that the RSA signatures can 
be practically generated by a smart card. 

1. Introduction 

Small devices such as smart cards or IC cards are easy to be carried and have the 
ability to compute, memorize, and protect data. Such convenient ultimate personal 
computers^ have been useful tools for constructing various information systems and 
now they are expected to be utilized in much wider applications. Unfortunately, smart 
cards now available are not so powerful, still the jobs we want them to execute are 
liable to hard for them. For example, many want to realize public key cryptographic 
algorithms in smart cards. But these are not easy tasks for them. Even if future smart 
cards would be more powerful, the gap would not be filled, because we would require 
them more intelligence. 

An easy and usual way to overcome this situation is the use of auxiliary computers 
such as (network-, POS-, banking-, telephone-, facsimile-, . . .) terminals for supplying 
the short-computing power of smart cards. In the following we use the terms 'client' 
and 'server'. A client denotes the main device such as a smart card which has a secret 
computation and can execute the computation by itself but takes long time because 
of the lack of computing resources. A server denotes the auxiliary device which has 
enough computing resources. 

If a server is trustworthy and will not leak the secrets, the client can pass the 
server the description of the secret computation and can ask the server to perform it 
and to tell the result. As an example, in a public key signature scheme, a client sends 



S. Goldwasser (Ed.): Advances in Cryptology - CRYPTO '88, LNCS 403, pp. 497-506, 1990. 
© Springer- Verlag Berlin Heidelberg 1990 



498 



the message to be signed and the secret key to a server for generating a signature on 
behalf of the client. 

But servers are not always trustworthy. A terminal in a public telephone booth or 
a POS terminal in a supermarket, etc., may be a server which may be equipped with 
a wiretapping device or might be infected by some computer viruses. When the server 
is insecure, the client has to protect its secret from the server during the interaction. 

How a client can securely accelerate secret computations by using untrustworthy 
servers ? This is the problem to be solved in this paper. We believe this problem will 
be very important for our future's daily life. In our prior paper [2], we have pointed 
out the importance of the problem and presented some primal considerations. In the 
following sections we demonstrate several protocols solving the problem for (1) matrix 
computation, (2) modular equations, and (3) the RSA cryptosystem. 

2. Related Works and Assumptions 

There are some other researches [3] [4] [5] [6] [7] [8] looking like ours. 

Privacy Homomorphisms, proposed by Rivest-Adleman-Dertouzos [3] and recently 
examined by Brickell-Yacobi [4] and by Ahituv-Lapid-Neumann [5], are cryptographic 
functions preserving some operations. For example, when two data a and b are stored 
in a database in the form of ciphertexts /(a), f(b), if the enciphering function / is 
homomorphic with respect to an operation o in the domain of / and an operation • in 
the codomain of /, then the ciphertext of the data a o 6 can be obtained as f(a) • f(b) 
without deciphering and re-enciphering. 

Similar notion called the Directly Transformed Link Encryption has been proposed 
by Matsumoto-Okada-Imai [6] in the field of network security. In each node of a 
communication network with the link encryption, each ciphertext c comming from 
an input link i is deciphered into a plaintext m = and then, after a routing, 

enciphered into another ciphertext d = Ej(m) to be emitted into an output link 
Here £>,- and Ej are deciphering and enciphering algorithms associated with the input 
link i and the output link j , respectively. The core idea of the directly transformed link 
encryption is to use instead of D, and Ej an algorithm Hij which directly transforms 
c into c' so that the security of the plaintext in the node is enhanced. Cryptosystems 
based on power functions are examples for those applicable to the directly transformed 
link encryption. 

Though the notions of privacy homomorphism and the directly transformed link 
encryption are attractive, they don't suffice for our porposes. 

On the other hand, Feigenbaum [7] and Abadi-Feigenbaum-Kilian [8] studied the 
problem of so-called Computing with Encrypted Data. Their problem is very similar 
to ours. However, their stance seems to be a little bit different from ours. Since 
their interest was focused on the theory, if we use our terminology, they assumed that 
the client has probabilistic polynomial time computing power and that the server 
has unlimited computing power and they derived interesting conclusion that hard 
functions are also difficult to be securely encrypted. Their work is very interesting but 
not sufficient to our practical problem. 
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To make clear the differences, we summarize here our assumptions specifically: 
Assumptions A computation originally owned by a client is a feasible one 
with respect to an ordinary computer. In typical situations, it is probabilistic 
polynomial time computable. However, when the size of the input is small and then 
the computation is tractable by some ordinary computer, the computation might be 
outside the probabilistic polynomial time. Servers adopted for the speed up are such 
ordinary computers. That is, there are limitations to the computational complexity 
with which the servers can cope. Servers might leak the data treated in interactions 
with a client, but do not refuse the jobs given by the client nor send false answers to the 
client. Each client is sufficient to protect its secret from resource bounded enemies. 
But the computational complexity for that purpose used by the client should not 
beyond the computational complexity for executing the secret computation by itself. 

3. General Idea of Speed Up 

Let a client want to obtain the value y = g(x) of a computable function g on input 
x. Assume that there is an algorithm (circuit) C g to compute g which is practically 
tractable by a server but not by the client. 
Our general idea of speed up is as follows. 

Protocol P PI 

(0) The client randomly decompose the algorithm C g into three algorithms (circuits) 
/, M, F such that (i) the consecurive applications of I and M and F compute 
the function g and (ii) the client can execute / and F in enough speed. For many 
practical applications, it is worth while considering a simplar version such that 
the client is restricted to select M from a predetermined set of algorithms. 

(1) The client applies I to have u = T(x), and sends [M, u] to the server. 

(2) The server applies M to u and sends v = M{u) back to the client. 

(3) The client obtains y by applying F to v as y = F(v). 

Efficiency and Security: Let Comm(a), Compc{0), and Comps[j) denote the 
time to transfer a between the client and the server, the time to execute algorithm 
/? in the client, and the time to execute algorithm 7 in the server, respectively. The 
total time to execute steps (1),(2),(3) in the protocol P is 

T(P) — : Compc(T) + Coram ([M, u}) + Comp s (M) 4- Comm(v) + Comp c (F). 

Thus the speed up effect of P is Comp c (C g )/T(T > ). Given upper bound Be of the 
computing time of the client, the security of the protocol P is roughly measured by 
the ambiguity 

A(P) - #{[/, F}\Com Pc (I) + Compc(F) < B c }. 

Variations: The protocol P can be generalized into two directions by decomposing 
M further. One is to have a series of algorithms and adopt more interactions. The 
other is to have a set of algorithms executable in parallel by independent servers. 
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4. Demonstrating the Speed Up Protocols 

We show now some of the basic protocols to demonstrate our idea of enhancing smart 
cards. 

4.1 Speed Up via Coordinate Permutation 

In usual computing environments, multiplying matrices is recognized as rather light 
computation. But it is not so easy for today's smart cards. On the other hand, 
permuting rows and columns of matrices can be performed by only changing indices 
of the components of matrices. We have verified through an experiment [2] that 
this technique actually works well for programs in smart cards. The following three 
examples are based on this fact. The coordinate permutation is a very useful tool for 
constructing speed up protocols. 

[a] Matrix Multiplications 

Target: A client has two secret matrices A and B and wants to obtain the product 
C = AB. 

Assumption: The client can efficiently permute rows and columns of matrices. There 
is a server which can multiply matrices overwhelmingly faster than the client can. 

Protocol MM 

(0) The client randomly generates permutation matrices P, Q and R. 

(1) The client permutes A and B along with [P, Q] and to have A' = 
PAQ, B' = Q~ 1 BR, and sends [A', B'] to the server. 

(2) The server computes and sends back to the client C = A' B' . 

(3) The client obtains C by permuting C along with [P -1 , R~ 1 } as C = P^C'R' 1 . 

Remark: This protocol can be applied to the speed up of evaluating a tuple of 
multivariate polynomials. 

[b] Linear Equations 

Target: A client has a secret non-singular matrix A and a secret matrix B and wants 
to obtain the solution X of the equation AX = B. 

Assumption: The client can efficiently permute rows and columns of matrices. There 
is a server which can solve linear equations overwhelmingly faster than the client can. 

Protocol LE 

(0) The client randomly generates permutation matrices P, Q and R. 

(1) The client permutes A and B along with [P, Q] and [P, R] to have A' = 
PAQ, B' = PBR, and sends [A 1 , B'\ to the server. 

(2) The server solves the equation A'X' — B' for X' and sends X' back to the client. 

(3) The client obtains X by permuting X' along with [Q, R~ l ] as X = QX'R~ l . 
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Remark: A slightly modified version of this protocol can be applied to the linear 
programming problem. 

Evaluation: We have organized software experiments for Protocol MM and LE. 
The conclusion is that these protocols are effective since, as described above, the 
permutations can be done faster than the matrix multiplications and the amount of 
communication between the client and the server is only three matrices. However, by 
these protocols, the server might acquire some statistical information. Indeed, they 
cannot protect values of the functions not affected by permutations. An example is the 
determinant of C in Protocol MM. But we think there are many practical applications 
to which these protocols are useful. 

[c] Graph Isomorphisms 

Target: A client has two secret graphs a and b of the same number of verteces and 
edges with their adjacency matrices A and B, respectively, and wants to know whether 
these graphs are isomorphic or not. And if they are isomorphic, the client also wants 
to obtain the isomorphism, which is the permutation x of coordinates determined by 
the permutation matrix X satisfying the equation AX = XB. 

Assumption: The client can efficiently permute rows and columns of matrices. There 
is a server which can quickly solve the graph isomorphism problem. But the server 
may not quickly solve the graph non isomorphism problem. 

Protocol GI 

(0) The client randomly generates permutations p and q, to which correspond 
permutation matrices P, Q, respectively. 

(1) The client permutes rows and columns of A and B along with p and q to have 
A' = PAP~\ B' - QBQ- 1 , and sends [A', B'] to the server. 

(2) The server tries to decide , in a period of time, whether the graphs with adjacency 
matrices A' and B' are isomorphic or not. If they are decided to be isomorphic, 
the server computes the permutation x' corresponding to the isomorphism and 
sends x 1 to the client. Otherwise, the server sends to the client. 

(3) If x' is sent, the client obtains x by transforming x' with p~ l and q as x = p~ l x'q. 
If is sent, the client decides that that a and 6 are not isomorphic. 

Remark: This protocol can be applied to the speed up of pattern recognition based 
on the graph isomorphisms. 

4.2 Modular Equations 

Univariate polynomial equations over finite fields can be solved by polynomial time 
algorithms. And as Rabin [10] shows, there are efficient probabilistic algorithms for 
them. Main jobs of these algorithms are to take the greatest common divisor of two 
polynomials by applying the well known extended Euclidean algorithm. However, 
these are not so easy tasks for ordinary smart cards. 
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Target: A client has secret integers k and a 0 ,ai, a 2 , . . . ,a m _i such that the modular 
equation 

a 0 + axx + a 2 x 2 -{ h a m _ix m ~ l + x m = 0 (modi) 

is solvable in x, and wants to obtain a solution x of this equation. 
Assumption: The client can efficiently execute multiplication modi and division 
modi. There is a server which can solve modular equations overwhelmingly faster 
than the client can. 

Protocol ME 

(0) The client randomly selects an integer r such that gcd(r, i) — 1. 

(1) The client and computes [&o, 6i , b 2 , ■ ■ ■ , b™-i] by 

Cq — 1, and c; = rci-i mod k, b m -i = Cia m _,- mod k for i = 1, . . - , m 

and sends [6o, b 2 , ■ ■ ■ , & m -i, k] to the server. 

(2) The server obtains a solution ?/ of the equation 

60 + hy + b 2 y 2 + ■■■ + b m ^y m - 1 +y m ~Q (mod k) 

and sends back y to the client. 

(3) The client obtains x as x = 2/r -1 mod fc. 

Remark: This protocol can be generalized to fit any system of multivariate polynomial 
equations over any commutative ring. 

Evaluation: Protocol ME is very effective, because in the protocol the computation 
the client has to do is only 2m multiplications modi and one division modi and the 
amount of communication between the client and the server is only m + 2 integers 
while the server could investigate nothing on the secret of the client. 

5. Speeding Up the RSA Transformations 

Is it possible to securely implement the RSA cryptosystemt 11 ' with smart cards and 
terminals ? We think the answer is yes. For the RSA public transformation, a speed 
up protocol is described in [2]. For the RSA secret transformation, we show below two 
of the developed protocols. 

Target: A client has integers x, d, n and wants to obtain the integer y = x d mod n. 
The integer d is the secret of the client, while the integers n and e such that ed = 1 
(mod A(n)) are made public. Here n is the product of two large secret primes p, q 
(p =fc q), and A(n) is the secret integer lcm(p — l,q — 1). 

For simplicity, the integer x may be known to the server. (It is an easy task to 
modify the following protocols with slightly adding the complexity so that x is also 
hidden from the server.) 
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5.1 Secret Powering 1 

Assumption: The client can execute several multiplications modrc. There is a 
server which' is equipped with a device which can implement the RSA secret 
transformation overwhelmingly faster than the naked client can. 

Protocol RSA-S1 

(0) The client randomly generates an integer vector D = [di, d 2 , . ■ ■ , d^] and a binary 
vector F = [fi, f 2 , . . . , }m\ such that 

d = fidi + f 2 d 2 + ■ ■ ■ + /m^m (mod A(n)) 

and 1 < di < n and Weight(F) = Y^,fLi is A where M and L are some integers. 

(1) The client sends n, D, and x to the server. 

(2) The server computes and sends back to the client Z — [z\, z 2 , ■ ■ - , zm] such that 

Z{ = x di mod n. 

(3) The client obtains y by computing y = y^ as follows: 

2/o = 1, Vi = Vi-\Zi mod n if /,• = 1; yi = yi_ x if /; = 0, (i = 1, 2, . . . , Af). 

Variation: We have a more general protocol if we exclude 'binary' from the condition 
to F. 

Complexity: Since the step (0) can be precomputed, for each x it is sufficient for the 
client to do at most L — 1 multiplications mod n. The amount of communication is 
2(M + 1) integers of size at most logn bits. 

Security: If the RSA cryptosystem is secure, the protocol could be broken only by 
searching true d via the exhaustion of 

possibilities. 

Remark: If e is hidden from the server, Protocol RSA-S1 is applicable also to the 
case where A(n) can be readily computed from n. Secret powering over a finite field is 
an example. 

Though such property are not preserved, we can have a more efficient protocol by 
utilizing the Chinese Remainder Theorem: 

5.2 Secret Powering 2 

Assumption: The client can execute several multiplications modp and modg. The 
client has computed integers w p and w q such that 



w p — lil 1 m °d p), Wq = p{p 1 mod q). 
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There is a server which is equipped with a device which can implement the RSA secret 
transformation overwhelmingly faster than the naked client can. 

Protocol RS A-S2 

(0) The client randomly generates an integer vector D = [di, d 2 , • • • , ^m] and two 
binary vectors F = [f x , f 2 , ■ ■ ■ , /at] and G = \gi , g 2 , ■ ■ ■ , giu] such that 

d = fxdi + f 2 d 2 H h /m^m (modp-1) 

d = gidi + gid 2 + h g M d M (mod q - 1) 

and 1 < (i,- < n and Weight{F) + Weight(G) = /• + E^iSO' < L > where 

M and L are some integers. 

(1) The client sends n, D, and x to the server. 

(2) The server computes and sends back to the client Z = [zi, Z2, . . . , zm] such that 

Zj = x d * mod n. 

(3) The client obtains y by computing ?/ as follows: 

V = (VpMWp + y q MW q ) mod n, 

y P o = 1, y P .- = Vp.i-iZi mod p if = 1; y p , = y P ,i-i if /; = 0, 
y q o = 1, 2/,i = y q ,i-\Zi mod ? if ^ = 1; = y ? ,i_i if # = 0, 
for i = 1,2,. . ., Af. 

Variation: We have a more general protocol if we exclude 'binary 1 from the condition 
to F and G. 

Complexity: Since the step (0) can be precomputed, for each x the amount of 
commputation the client has to do is equivalent to at most 3L/2 multiplications 
mod p or mod q. The amount of communication is 2(M + 1) integers of size at most 
log n bits. 

Security: If the RSA cryptosystem is secure, the protocol could be broken only by 
searching true d via the exhaustion of 

possibilities. 

Examples: Using a t'8086 (5MHz) (30 msec / 256-6«'f modular multiplication) or Z- 
80 (SMHz) (300 msec / 250-bit modular multiplication) as a smart card with a single 
M-Kbps (non-contact type) or 9600-6ps serial link and the RSA hardwares (chips) [13] 
with speed 32-Kbps or 4800-ips, Protocol RSA-S2 can be accomplished about 4 to 30 
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times faster than the case where the microprocessor does the whole computation with 
the method due to Quisquater-Couvreur [12] (see Table A). 

6. Conclusion 

With several demonstrating examples, we have presented an important research 
problem of how to supply short-computing power of smart cards. The described 
protocols are all very simple but can be actually utilized in a system consists of smart 
cards and auxiliary computers. Other protocols and problems to be developed are 
described in [9]. 
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Table A. Examples of Protocol R S A - S 2 

[Processing time for a 512-bit lessage block] 





i 8086 (5MHz) 


Z 8 0 ( 6 M H z ) 


Serial Link 
6 4Kbps 
+ 

RSA hardware 
3 2Kbps 


L = 2 0 , M = 5 0 

1 . 7 sec 
<13.5 times faster> 


L = 1 2 , M = 1 4 2 

7 . 7 sec 

<30 times f a s t er > 


Ser i al Link 
9 6 0 0 b p s 

+ 

RSA hardware 
4 80 0 b p s 


L = 32, M=37 

5 . 5 sec 
<4.2 times faster> 


L = 1 8, L = 5 8 

14. 4 sec 
<16 times faster> 


conv en t i ona 1 
method [12] 


2 3 sec 


2 3 0 sec 



20 

Modulus n : 512 bit Security > 1 0 
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Developing Ethernet Enhanced-Security System 



B.J. Her bis on 
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Abstract 

The Ethernet Enhanced-Security System (EESS) provides encryption 
of Ethernet frames using the DES algorithm with pairwise keys, and a 
centralized key distribution center (KDC) using a variation of the Needham 
and Schroeder key distribution protocol. This paper is a discussion of some 
practical problems that arose during the development of this system. 
Section 1 contains an overview of the system and section 2 provides more 
detail on the system architecture. The remaining sections discuss various 
problem that were considered during the development and how they were 
resolved. 

1 Overview of the System 

The Ethernet Enhanced-Security System (EESS) consists of Digital Ethernet 
Secure Network Controllers and VAX Key Distribution Center software. DESNC 
controllers are encryption devices that provide node authentication and data 
confidentiality and integrity on an Ethernet[l] (or IEEE 802.3) local area network 
(LAN). The VAX KDC software manages the DESNC controllers on a LAN and 
enforces a LAN access control policy. 

DESNC controllers are store-and-forward communication devices that sit 
between nodes and the Ethernet. Each controller has four ports for nodes and one 
port that is connected to the LAN. Communication among these five ports is 
restricted by the controller according to the LAN access control policy. 

When Ethernet frames are exchanged between two nodes that are connected to 
two different DESNC controllers, the frames are encrypted by one controller and 
decrypted by the other controller. This encryption occurs at the Data Link layer 
of the network and is transparent to higher network protocol layers. Nodes can 
use any network protocols that normally work over Ethernet (e.g., DECnet or 

The following are trademarks of Digital Equipment Corporation: 
DESNC, VAX KDC, DECnet;, VAX, and VMS. 

S. Goldwasser (Ed.): Advances m Cryptology - CRYPTO '88, LNCS 403, pp. 507-519, 1990. 
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Figure 1: Sample Secure Ethernet 

TCP/IP) without modification, and any device that conforms to the Ethernet or 
IEEE 802.3 standard can be attached to a DESNC controller. 

DESNC controllers are managed by VAX KDC software running under VMS 
on specially designated KDC nodes on the Ethernet. Each KDC node must be 
attached to a DESNC controller that assists the KDC node; this controller is 
called a KDC controller. A KDC node and the attached KDC controller are 
collectively referred to as a KDC. 

KDC nodes provide a user interface for the network security manager to 
control the security of the network. Through the interface the network security 
manager informs the KDC and the DESNC controllers of the configuration of the 
LAN, enters the LAN access control policy, determines the status of controllers on 
the LAN, and controls the network security auditing on the LAN. 

It is possible to have multiple KDC nodes on one LAN. A large extended LAN 
can be supported with only a few KDC nodes, but having more than one KDC 
node improves the availability of the LAN by eliminating a single point of failure. 

A sample secure Ethernet is shown in figure 1. The format used for encrypted 
node frames transmitted between DESNC controllers is shown in figure 2. 
Everything from the sequence number to the manipulation detection code (MDC) 
is encrypted. Most of the fields in the message are present as a result of the issues 
discussed in this paper. The section references indicate the locations in this paper 
where the fields are discussed. 



2 System Architecture 
2.1 Encryption Keys 

Messages exchanged among DESNC controllers and KDCs are encrypted using the 
Data Encryption Standard (DES) encryption algorithm[2,3]. The messages are 
encrypted using the Cipher Block Chaining (CBC) mode of DES. When a message 
is encrypted, the encrypted portion of the message is padded to a multiple of the 
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Fields Size Section 



Destination Address 




6 bytes 




Source Address 




6 bytes 




IEEE 802 Header 




10 bytes 


5.2 


Message Type 




2 bytes 


3 


Encryption Identifier 




2 bytes 


3 


Original Header 




10 bytes 


5.3 


Sequence Number 


* 


4 bytes 


4 


Message Type Copy 


* 


2 bytes 


3 


Original Header 


* 






Original Data Field 


* 






Padding 


* 


0-7 bytes 


2.1 


MDC 


* 


2 bytes 


2.2 


Ethernet FCS 




4 bytes 





* marks the encrypted fields 



Figure 2: Encrypted Frame Format 

DES block length (8 bytes). 

Several different types of DES encryption keys are used by controllers and the 
KDC software. 

VAX KDC Master Key: This key is used to encrypt controller master keys 
that are stored on KDC nodes. This encryption prevents an intruder from 
compromising the security of a LAN by merely obtaining a copy of the 
information stored on the KDC node (for example, reading a BACKUP tape 
from the KDC node). 

This key is only known by the network security manager and the KDC 
controllers. 

Key Generation Key: This key is used as part of the process that generates 
encryption keys. This key is only known to the network security manager 
and a KDC controller. 

Initialization Key: These keys, one per controller, are used to distribute the 
master and service keys for a controller, and are then discarded. Each 
initialization key is known only by the network security manager, the 
controller initialized with that key, and the KDC that initializes the 
controller. 



Master Key and Service Key: These encryption keys are used to 

communicate between controllers and KDCs. A different pair of keys is used 
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for each controller. The keys for a controller are only known by the controller 
and the KDCs, and they are only stored in encrypted form on KDC nodes. 
These keys are never handled in unencrypted form by any person. 

Association Key: These keys are used to encrypt communication between nodes 
protected by controllers. A different association key is used for each pair of 
nodes that communicate. Association keys are distributed by KDCs when 
controllers request associations. Association keys are only known by the 
controllers involved and by a KDC controller. These keys are never stored 
on a KDC node or handled by any person. 

KDC controllers will generate encryption keys as needed by the KDC nodes, or 
the network security manager can have the KDC nodes acquire the keys that they 
need from a user-supplied key source. A small amount of user programming is 
required to use a user-supplied key source, as well as a large supply of keys. 

2.2 Modification Detection 

When messages are encrypted, a manipulation detection code (MDC) is appended 
to the end of the message before encryption. The MDC field, produced by using a 
16-bit CRC, is part of the encrypted portion of the message. When messages are 
decrypted, the MDC function of the message is calculated again and compared 
with the value sent with the message to determine if the message was modified as 
it was sent over the LAN. 

2.3 Initializing Controllers 

Before a DESNC controller can operate, it must be initialized. To initialize a 
controller, the following steps are required: 

• The network security manager enters information about the controller into a 
KDC node. This information includes the Ethernet address of the controller, 
the Ethernet addresses of the nodes protected by the controller, and the 
access control policy for those nodes. 

The access control policy is specified by assigning an access class range 
to each node on the LAN. The access class ranges are from a Bell and 
LaPadula[4j/Biba[5] secrecy and integrity lattice, with 256 secrecy and 
integrity levels and 64 secrecy and integrity categories. 

• On the request of the network security manager, the KDC node prints out 
an initialization key for the controller. The key is either generated by the 
KDC controller or taken from a supplied key source. 

• The network security manager enters the initialization key in the controller 
through a keypad on the controller's front panel. 
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• The controller communicates with the KDC and receives its master key. 
The master key exchange is encrypted with the initialization key that was 
entered into the controller. After this step the initialization key is erased 
and not used again. 

• The controller communicates with the KDC and receives the information 
that it needs to operate. This information includes: 

- The lifetime for association encryption keys. 

- The name of the firmware that the controller should be using, and a 
cryptographic checksum for the firmware image. 

- The addresses of the key distribution centers on the LAN. 

- The addresses of the nodes supported by the controller. 

- Information about the supported nodes. 

- A list of the events that the controller should audit. 

All of this information is encrypted under the controller's master key when 
it is distributed over the LAN. 

After these steps, the controller is operational. The controller can now 
communicate with any KDC on the LAN. Once a controller is initialized it is 
not necessary to enter any additional information manually. If the distributed 
information needs to be changed, the changes can be made remotely from any 
KDC. DESNC controllers retain the distributed information during power-off and 
over power interruptions, but the information will be erased if a DESNC controller 
is opened. 

Operational controllers request association keys from KDC nodes as necessary, 
and encrypt and decrypt Ethernet frames sent by nodes using those keys. 

2.4 Downline Loading Controllers 

The operational firmware image used by DESNC controllers is downline loaded 
over the Ethernet using the same mechanism employed by other Digital products. 
This allows the controllers to be downline loaded by the same downline load 
servers that load other products on the Ethernet. These images are not encrypted 
and the servers are not necessarily KDCs. The integrity of the images (and the 
security of the LAN) is protected in the following manner: 

1. When a new firmware image is installed on a KDC and downline load 

servers, the KDC generates an encryption key and a cryptographic checksum 
for the image. The KDC generates a different key and checksum for each 
controller on the Ethernet. 
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2. During controller initialization, the KDC distributes the name of the 
firmware image and the appropriate checksum information to each controller. 
If a new image is installed after a controller is initialized, any KDC may 
distribute the new image name and checksum information to the controller. 

3. When a controller needs to be downline loaded, it requests the appropriate 
image. After it receives the image from a downline load server, the controller 
calculates the checksum for the image and compares the value against the 
stored value. If the received image does not have the correct checksum then 
that image is ignored and a new image is requested. 

2.5 Associations 

When two nodes try to communicate by exchanging Ethernet frames over the 
LAN, controllers will not allow the communication unless the association is 
allowed by a KDC. If allowed, these associations are granted upon demand by 
KDCs. 

There are three different types of associations: 

• Associations between two nodes protected by different controllers. Frames 
sent under these associations are secured through encryption while they are 
on the Ethernet. 

An example of this type of association would be an association between 
node A and node B in the LAN shown in figure 1. 

• Associations between two nodes protected by the same controller. Frames 
sent under these associations are never sent on the Ethernet so there is no 
need for them to be encrypted. The controller only sends the frame to the 
node port where the destination node is attached, so this type of association 
is secure. 

An example of this type of association would be an association between 
node B and node C in the LAN shown in figure 1. 

• Associations between a node protected by a controller and a node not 
protected by a controller. Frames sent under these associations are not 
encrypted (because there is no second controller to decrypt the frame), 
but communication is not allowed unless approved by a KDC. 

An example of this type of association would be an association between 
node C and node D in the LAN shown in figure 1. 

When communication occurs between two nodes not protected by DESNC 
controllers, controllers and KDCs are not involved in the communication. 
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2.5.1 Encrypted Association Set-Up 

The protocol exchange used between DESNC controllers and KDCs to encrypted 
set-up associations is similar to the protocols described in Needham and 
Schroeder[6] and Voydock and Kent[7]. Here is an example of how an association 
would be established between two nodes that are both connected to DESNC 
controllers. 

Consider the LAN shown in figure 1. Setting up an association between 
node A and node B involves the following steps: 

1. Node A sends an Ethernet frame to node B. 

2. Controller A receives the Ethernet frame and verifies the source address of 
the frame. 

3. Controller A requests an association from the KDC. 

4. The KDC checks the access control policy, determines that nodes A and B 
are allowed to communicate, and sends an Association Open message to 
controller A. The Association Open message is encrypted with the master 
key of controller A. The message contains an association key, either 
generated by the KDC controller or taken from a supplied key source. 

5. Controller A sends an Association Forward message to controller B. 
The Association Forward message is encrypted with the master key of 
controller B. This message was generated by the KDC and included in 
the Association Open message sent to controller A. 

6. Controllers A and B communicate and determine that they share a common 
association key. 

7. Controller A encrypts the frame sent in step 1 with the association key and 
sends the encrypted frame to controller B. 

8. Controller B receives the encrypted frame, decrypts the frame, checks the 
manipulation detection code, and transmits the frame to node B. 

Once the association is established, no further interaction with the KDC is 
required and all communication between nodes A and B is encrypted with the 
association key until the association expires. If an association is active and 
approaching expiration, the controller that originally requested the association 
(controller A in this example) will request another association before the first 
association expires. 

The duration of associations is determined by the network security manager, 
and the information is distributed to controllers when they are initialized. 
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2.5.2 Unencrypted Association Set-Up 

Associations that involve only one DESNC controller (either because both nodes 
are attached to the same controller or because only one node is attached to a 
controller) do not require an encryption key and do not involve synchronization 
between two controllers. Setting up these associations is simpler than setting up 
encrypted associations, several steps can be omitted. 

For example, if node B in figure 1 wants to communicate with node C or 
node D, the following steps are required: 

1. Node B sends an Ethernet frame. 

2. Controller B receives the Ethernet frame and verifies the source address of 
the frame. 

3. Controller B requests an association from the KDC. 

4. The KDC checks the access control policy, determines that the nodes are 
allowed to communicate, and sends an Association Open message to 
controller B. The Association Open message is encrypted with the master 
key of controller B. No encryption keys are included in the message. 

5. Controller B sends the frame received in step 1 to the appropriate 
destination (either to the correct port or to the LAN). 

As in the previous case, communication between the node pair continues 
without KDC intervention for the duration of the association. 

2.6 Trust 

With any security system, it is important to know which components must be 
trusted, and the degree of trust required. The EESS architecture was designed to 
limit the degree to which an individual DESNC controller needs to be trusted. 

The compromise of a DESNC controller may compromise the nodes protected 
by the controller, but will not compromise any other controllers or nodes on the 
LAN. This means that a controller must be protected as well as any of the nodes 
protected by the controller. 

If multiple nodes are connected to the same node port of a controller, the 
nodes can masquerade as each other. This means that those nodes must be 
mutually trusting. If this is level of trust is not appropriate, a site can use DESNC 
controllers with only one node attached to each of the four node ports. 

If a KDC node or the controller that supports a KDC node is compromised, 
the security of the LAN can be compromised. This means that KDC nodes and 
KDC controllers must be protected as well as any node on the LAN. While KDC 
nodes can be used for multiple purposes, the security of the network is improved if 
the KDC nodes are limited to network management functions and access to the 
nodes is limited to trusted individuals. 
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3 Determining the Encryption Key 

Unless a cryptographic system uses a single encryption key to encrypt all messages 
exchanged, it is necessary to determine whether a message is a control message or 
an encrypted node frame and which key should be used to decrypt a particular 
message. While, in many cases, it is possible to determine the correct key from 
the context and from the source and destination addresses, the choice is 
occasionally ambiguous. Placing the information in the message explicitly avoids 
any ambiguity and is also more efficient to handle. To prevent modification 
attacks on the protocol messages, it is necessary to guarantee that any 
modifications of this information are detected. 

The messages exchanged between the components of an Ethernet 
Enhanced-Security System contain two fields that are used to identify the 
encryption key. Each message contains: 

Message Type: This field identifies the type of the message and, in particular, 
whether the frame is a control frame or an encrypted node frame. 

This field is protected against modification by including a duplicate copy 
of the field in the encrypted portion of the frame (protected by the 
manipulation detection code). These copies are compared after the frame is 
decrypted. 

Encryption Identifier: Once the type of message is known, this field uniquely 
identifies the encryption key. 

Rather than use an explicit check, this field is implicitly verified. If the field 
is modified, then the wrong encryption key will be used to decrypt the frame 
and the manipulation detection check will fail. 

For encrypted node frames, DESNC controllers are designed to allow rapid 
determination of the association key from the encryption identifier. 

4 Sequence Numbers 

When Ethernet frames are encrypted, sequence numbers are used for two 
purposes: 

• To prevent attacks that involve the replay or reflection (exchange of source 
and destination addresses) of encrypted Ethernet frames. 

• To whiten messages to prevent intruders from inspecting two encrypted 
Ethernet frames and determining if the original frames (or an initial 
portion) were identical. 
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Sequence numbers are used to protect both encrypted node frames transmitted 
between DESNC controllers and the control frames exchanged among the 
controllers and between controllers and KDCs. 

Sequence numbers are 4 bytes long and contain a 31 bit count value and a 
1 bit direction. 

4.1 Sequence Numbers Versus Timestamps 

While timestamps are commonly used to detect replay attacks, the EESS 
architecture uses sequence numbers. Using sequence numbers avoids then problem 
of synchronizing clocks, and sequence numbers were found to be easier to generate 
and compare than timestamps. In particular, detecting replay attacks while 
allowing for out-of-order frames it is easier and requires less storage with 
sequential sequence numbers than with timestamps. 

However, sequence numbers do have their own synchronization problems. 
A pair of components can loose synchronization if one component sends a large 
number of messages while the other component is not working or is otherwise 
out of communication. For example, this may occur if a KDC is unable to 
communicate with some controllers for several days. 

The architecture provides a way to securely resynchronize sequence numbers 
when these problems occur. KDCs and controllers synchronize their sequence 
numbers when they exchange status information. This synchronization allows any 
sequence number mismatch to be corrected. To avoid any possible replay attacks, 
sequence numbers are only raised during synchronization, never lowered. 

4.2 Sequence Number Use 

The EESS architecture uses a separate sequence number stream for each 
encryption key used. The keys used to encrypt node frames are distributed upon 
demand by KDCs and are used for at most a few days. The encryption keys used 
for control messages are used for longer periods. 

Each time a message is transmitted using a particular encryption key, the 
DESNC controller (or KDC node) transmitting the message increments the 
sequence number associated with that encryption key. When a message is received, 
the recipient controller checks the sequence number and rejects the message if the 
sequence number is significantly lower than the highest sequence number received, 
or if another message has been received with the same sequence number. 

Messages are accepted out of order, and no attempt is made to reorder the 
messages or to guarantee that all messages are delivered. (These functions are not 
normally provided by the Data Link layer, and should be provided by higher 
protocol layers.) 
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5 Interoperability 

Because encrypted Ethernet traffic will probably be using the same Ethernet cable 
as unencrypted traffic, an Ethernet security system must be a 'good neighbor' on 
the LAN. This implies that the system must: 

• Follow the Ethernet physical standards, including the restriction on 
maximum frame length, 

• Follow standard Ethernet packet formats by including valid frames headers 
on all transmitted frames, and 

• Allow the LAN to be maintained, or at least not prevent standard LAN 
maintenance operations. 

The implications of each of these restrictions are discussed below. 
5.1 Frame Length 

For several reasons, including the addition of sequence numbers to frames, it is 
necessary for the size of frames to be increased when the frames are encrypted by 
DESNC controllers. However, to satisfy the Ethernet standard, the Ethernet 
frames transmitted by DESNC controllers must not be more than 1518 bytes long. 
There are two possible resolutions to these two requirements: Either restrict 
controllers to only encrypting frames that are short enough to be encrypted 
without exceeding the length restriction, or fragment long Ethernet frames when 
they are encrypted. 

We chose to fragment long Ethernet frames when they are encrypted by a 
controller, and to reassemble them transparently when they are decrypted by the 
recipient controller (before they are transmitted to the destination). When one 
long Ethernet frame is transmitted by a node, two separately encrypted Ethernet 
frames are sent from one DESNC controller to the other. The recipient controller 
checks each frame and uses the two frames to rebuild the original Ethernet frame. 
The frame received by the destination node is identical to the frame transmitted 
by the source node. 

Fragmentation affects the performance for long frames because it is necessary 
to send twice as many frames. But it is possible for network users to voluntarily 
reduce the length of Ethernet frames they transmit. This reduction avoids the 
need for fragmentation for the applications that can handle a reduced maximum 
frame length, but the fragmentation allows any existing application to continue to 
work correctly even if it sends maximum length Ethernet frames. 
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5.2 Frame Header 

When frames are encrypted, the source and destination addresses are left 
unencrypted and the rest of the original header is replaced by an IEEE 802 header 
with a protocol identifier that identifies the frame as an encrypted frame. 
The reasons for this are: 

• If the addresses were encrypted, then Ethernet bridges would no longer 
be useful in filtering network traffic and there would be a significant 
performance penalty because it would be necessary for every node to 
decrypt each frame to determine if it is the intended recipient. 

The addresses are authenticated by the encryption key used, so there is no 
loss of node authentication due to plaintext addresses. 

• If the original header (other than the addresses) was encrypted, the header 
would no longer have have a valid format (i.e., it would probably have an 
unassigned Ethernet protocol type, or an incorrectly formatted IEEE 802 
header), thereby confusing LAN monitoring tools. 

• If the original header is left unchanged, the rest of the message would look 
malformed (for a message with that header) because it was encrypted. This 
would also confuse LAN monitoring tools. (Also, an integrity check would be 
necessary for the header.) 

• A distinct header provides an easy way to determine if a message needs to 
be decrypted when it is received. 

Therefore, even though the extra header increases the overhead of encrypting 
the Ethernet frames, the header is added because it simplifies the processing of 
the frames and prevents confusion over the contents of the frame. 

5.3 Network Maintenance 

While it is necessary to replace the headers of encrypted Ethernet frame with 
headers containing protocol identifiers that identify the frame as being encrypted, 
the original header is also useful to network management tools. Tools that can 
examine this header can determine how a LAN is being used. 

For this reason, DESNC controllers include the original header of the frame 
(except for the addresses) in unencrypted form after the header that identifies the 
frame as being encrypted. The header is also included in the encrypted portion of 
the message so that attempted modifications to the message can be detected. 

When the frame is encrypted the DESNC controller examines the start of the 
frame and determines the frame format and the size of the header fields (excluding 
the addresses). DESNC controllers distinguish between: 

• Ethernet format frames (with only a 2 byte protocol type), 
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• IEEE 802 format frames (with 5 or 6 bytes of header fields) , and 

• IEEE 802 format frames with protocol identifier (with 10 bytes of header 
fields). 

The original header fields are copied into a 10 byte field in the encrypted message. 
This field is zero-padded if the header fields are shorter than 10 bytes. 
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ABSTRACT 

Users of large communication networks often require a multi-party teleconferencing facility. The most 
common technique for providing secure audio teleconferencing requires the speech of each participant to be 
returned to clear form in a bridge circuit where it is combined with the speech of the other participants. The 
combined signal is then re-encrypted for distribution to the conferees. This introduces a security weakness 
as the bridge works with the clear speech and the cipher keys for all of the participants. In this paper we 
describe secure conferencing systems in which some of the bridge functions are distributed among the users 
so that no additional security weakness is introduced. The network conference bridge knows the addresses of 
the participants and receives and distributes the encrypted speech without modification. The conference 
system can be used with a number of encryption algorithms and the system is suitable for deployment on 
digital networks such as ISDN. High quality and robust secure voice communications can be provided with 
this technique. 

Introduction 

As the use of secure communication techniques becomes more widespread, the need 
will grow for convenient secure conferencing facilities. Conferences allow a number of 
separated callers to participate in a group discussion. Some facilities also include video, 
data, and graphics facilities for these conferences. To provide a secure conference call, the 
conference facility is augmented with security features. The intent is to provide privacy 
(through encryption) and authentication of the the participants. 

In this paper we will outline some practical considerations for providing secure audio 
conference facilities within the public switched telephone network (PSTN). The basic 
problem to be resolved is to find a practical means to apply the mechanisms of encryption 
and authentication protocols to a multi-parry conference without compromise of the security 
but within the constraints of the network. The goal is to achieve a conference facility that 
can be operated by the network supplier without concern for security features and thus 
leave the customers free to select the security systems to meet their individual needs. 

Firstly, we will outline the requirements for a conference facility and point out the 
limitations of certain implementation techniques. The principal concerns are the non-linear 
coding of the speech in the PSTN and the requirements for limited bandwidth and 
minimum delay. We will introduce the concept of a distributed conference system and will 
review a distributed authentication scheme. A further conferencing technique, suitable for 
networks with long transmission delays, will also be outlined. We will conclude that 
secure conference systems are practical in the PSTN, and that they can be safely provided 
to meet the user's requirements. The Integrated Services Digital Network (ISDN) is 
especially well adapted to providing these secure services. 

Basics of Audio Conferencing 

Figure 1 shows the typical configuration of a conference system and in this section 
we will review some of the basic operations. This section is included to provide 
background on the operation of conference circuits. The users (conferees) are connected 
by the communications network (usually the PSTN) to a "conference bridge" circuit. This 
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circuit functions to sum together the speech from all the participants and to distribute this 
sum (which is the conference signal) to all the conferees. The network connections may be 
established with the assistance of a conference operator (who may be a participant in the 
conference) or it may be a "dial-in" conference where participants dial a special directory 
number to reach the bridge and be included in the conference. Usually an audible signal or 
a verbal protocol is used to announce when people enter or leave the conference. 

COMMUNICATION NETWORK 
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FIGURE 1 - AUDIO CONFERENCE BRIDGE 

In concept, the bridge circuit simply sums the speech signals from each participant 
and distributes this as the conference signal for all to hear. In practice the process is a bit 
more complicated. One complication is that the signal sent to a participant should not 
include the participant's own speech. If it does, then transmission delays can cause 
objectionable echos. Thus the conference sum sent to speakers differs from that sent to 
passive listeners. 

The accumulation of noise is another important consideration in an analogue network. 
In order to avoid the buildup of noise, the bridge will usually monitor the bcoming signals 
and only distribute the loudest, or perhaps a weighted sum of the 2 loudest, speakers to all 
the others (see for example [1]). As an alternative, the bridge may include a threshold, and 
only include a conferee's signal in the conference if the level exceeds the threshold. Noise 
from the idle channels is kept to a minimum with this arrangement 

Many bridges also include an automatic gain control (AGC) function to equalize the 
speech volumes of distant and near conferees and of loud and soft speakers. 

It is important to keep in mind that in a digital system voice signals are encoded with 
non-linear codes designed to increase the dynamic range and minimize the effects of 
quantization noise. The standard PTSN codes for speech are called |X-law (in North 
America) and A-law (in Europe) [2]. Speech signals encoded with these codes must be 
converted to a linear representation before the bridge can process them. 

There are thus a number of functions required of the bridge to support conferencing: 

- summation of speech signals 

- code conversions (n.-law or A-law to linear) 

- automatic gain control (AGC) 

- identification 

The concept of a bridge circuit can be extended to a secure conference as shown in 
Figure 2. Since the speech signals are now encrypted the bridge circuit can not simply sum 
the signals as the encryption is typically a non-linear process. (Here we define "non- 
linear" to mean that two encrypted signals cannot be summed to yield a third signal that can 
be decrypted to meaningful speech.) 
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Figure 2 shows one possible arrangement for a secure conference. In this case the 
telephone sets have been augmented with encryption and authentication devices. In normal 
two-party use these sets provide end-to-end encryption protection. The bridge is also fitted 
with like devices at its ports. Thus the bridge can receive a secure call from each 
participant, decrypt the speech, perform the conference operations (linearize, threshold, 
summation), and then encrypt the result for distribution to the conferees. This is a simple 
extension to the concept of a conference bridge. 
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Figure 2 - Conventional Conference Bridge with Security 

This method requires the bridge circuit to know the encryption keys for all parties and 
clear speech is contained within the unit. Thus, the conference bridge must be included 
when determining the security of the communications system. This is often referred to as a 
"red" bridge because its internal signals are unprotected by encryption, and it introduces a 
point of weakness in the system. Some users may not wish to trust the security of a bridge 
operating outside their direct control. It is thus desirable to make a conference unit that can 
operate without requiring the speech to be in clear form. This would be referred to as a 
"black" bridge because all of its signals are protected by encryption. 

One possible approach to providing a black bridge has been provided by Brickell, 
Lee, and Yacobi [3]. In this method, an encryption process is used with certain linear 
properties which allow the bridge circuit to sum and distribute the signals without the need 
for decryption. Unfortunately this limits the number of applicable encryption techniques 
and not all users would be willing to trust these schemes. This method also restricts the 
speech coding techniques allowed, produces bandwidth expansion, and requires 
synchronization (in time) of the signals from all of the conferees. This scheme, for 
example, is unable to use the standard u,-law coded speech common in the PSTN. It is 
thus desirable to design a method which can function independently of the encryption 
process and the speech coding, and also does not require any special synchronization. 

The Distributed Bridge 

Returning for a moment to Figure 2, note that one place where speech must be in 
clear form is at the users' telephone terminals. Decrypted speech must be provided at these 
points for the conferees to hear. The security weakness inherent in the red conference 
bridge will be eliminated if the conference operation is migrated out to the telephone sets 
where clear speech must always be available for the users. 

One way to accomplish this is shown in Figure 3. In this case each telephone set is 
equipped with a simple three-party conference circuit in addition to two 
encryption/decryption units. The sets are connected to the digital switching network by 
two logical circuits. These access connections would typically be made using digital loop 
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technology. A chain-like connection pattern is established between the parties to form the 
conference. Each party receives the signals from its neighbours, sums these with its local 
speech input, and forwards the result along the chain. Each party hears the speech of all 
the others as the signal is passed down the chain. There is no centralized bridge. The 
function is distributed among the participants. No additional security risk is introduced by 
this distributed bridge as clear speech must be available at each phone for the conferees to 
hear anyway. Modern signal processing chips can be used to perform the bridge functions 
in each user's terminal. 
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Figure 3 - Distributed Secure Conference Bridge 

One of the difficulties with a chain-like conference connection of this type is that 
anyone dropping out of the conference breaks the chain. The conference would thus be 
split into two disconnected parts. This may be overcome by incorporating a conference 
control unit (CCU) in the network. This CCU keeps the list of network addresses of the 
(active) participants and is responsible for maintaining the connections through the 
communications network to all the parties, and automatically reconfiguring the connections 
when the list of participants changes. This is illustrated in Figure 3 by the rectangle labeled 
conference control unit. In normal operation, the CCU is under the direction of a 
conference operator. This may be a network resource person, or it may be simply a 
participant acting as chairperson and controlling the CCU via a separate communications 
channel. If parties wish to be added or deleted from the conference, the CCU will 
automatically reconnect the network to the new configuration. Thus, while we technically 
have a chain-like connection, operationally it behaves like the common star topology for 
conference systems. Note that this conference control unit could be implemented as a 
software program operating in the switching nodes of the communications network. 

Figure 3 shows two connections from each phone to the network (except for the ends 
of the chain). While this could be implemented as two physical connections, modern 
digital techniques allow the multiplexing of two speech channels on a single pair of wires. 
The Integrated Services Digital Network (ISDN), for example, directly supports two 64 
kbps speech channels (the "B" channels) plus a signaling channel (the "D" channel) on a 
single subscriber pair. Thus the distributed conference configuration could easily be 
implemented in an ISDN environment, and in fact we have tested such an arrangement on 
the BNR ISDN facilities. Other multiplexing techniques can also be used to maintain a 
single subscriber access connection and to reduce the number of network connections. 

In analogue communication networks, the chain-like connection of Figure 3 would 
be impractical due to the accumulation of transmission and idle channel noise. (Each party 
receives the accumulated sum of all the noise sources along the chain.) In digital 
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transmission, noise does not accumulate on tandem connections, and bit errors can be 
corrected by the use of suitable error correcting codes. Inherent in any digital speech 
coding system is quantization and coding noise. However, with suitable speech coding 
techniques, such as the standard companded PCM, ADPCM [5], and the CCITT wideband 
audio standard [6], this noise will not accumulate in the tandem connections used in this 
conference arrangement The conferencing algorithm at each terminal can be designed with 
a local speech detector and AGC function. The speech detector would only include local 
speech input when speech is present to eliminate the accumulation of idle channel noise. 
The ACG function would equalize the conference levels. 

With this technique there is no central bridge to be cracked to compromise security, 
and the conferees are free to use encryption techniques of their own choosing. The 
telecommunications supplier can provide the conference control unit to facilitate the service. 

Distributing Conference Bridge 

We have described in the previous section a distributed conference bridge in which 
the parties are connected in a chain-like manner and the conference operations are 
distributed among the participants. This system is suitable for many applications where the 
transmission delays are not severe. With this arrangement the coding delays are negligible 
and the CCU can make the network connections to minimize the transmission delays. 
However if several satellite connections were involved in the conference the chain-like 
arrangement would not be satisfactory as significant delay would accumulate along the 
chain. Figure 4 illustrates the concept of another conferencing arrangement which is not as 
sensitive to delay. 
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Figure 4 - Distributing Bridge 

In this arrangement, each secure telephone set is connected to the PSTN with 2 
channels. The use of multiplexing and digital access technology makes this arrangement 
practical with a single wire pair. Participants in the conference are connected by the 
network to the distributing bridge. During operation, each terminal sends to the bridge two 
signals. One of these signals is the encrypted speech from the participant. The second 
signal is information giving the average volume level of the speech for the preceding time 
period of say, 4 milliseconds. The bridge unit would examine the volume level information 
from all the participants, and distribute to each conferee the two loudest encrypted speech 
signals (other than the conferee's own signal) using the two channel connections. The 
terminals would receive these two encrypted speech signals, decrypt them and present the 
sum to the local listener. As the speaker activity in the conference changed, the volume 
level information would reflect the new speakers, and the bridge would distribute the new 
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speakers. Initially, cryptographic session keys would be developed among all participants 
by means of a protocol such as the one described in the next section section. 

In Figure 5 we give a simple illustration of how this might be implemented. Three 
terminals are involved in this example conference. The diagram illustrates the signals sent 
by terminals 1 and 2 towards the bridge. These are the encrypted speech signals and the 
volume level information. In this example, speaker 1 is. followed by speaker 2. The 
encryption process uses a cipher-feedback mode of operation. The listener at terminal 3 
will receive a short pause to signify the change of speakers and allow a change of crypto- 
key if required. The beginning of the new speaker's encrypted speech would be preceded 
by a short period of extra data to allow the encryption process to resynchronize. This 
synchronization period would be muted by the receiver. 
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Figure 5 - Operation of Distributing Bridge 

This form of conference bridge handles only encrypted signals and acts only as a 
distributing center. The users must give out extra information in the form of the average 
speech level. In the simplest implementation this information would be in the clear. 
However, it could be sent to the bridge using an encrypted channel . (If the bridge is to 
remain truly black there is no advantage in doing this.) This average level does not reveal 
the speech signal but it does represent a (small) leak of information that some users may 
find unacceptable. This system does not suffer from significant problems with long delay 
paths as it uses a star topology for the network connections. 



Key Distribution and Authentication 



The operation of security features in a large network is dependent upon the proper 
distribution of encryption keys and the authentication of terminals and users. Practical 
techniques to provide for two-party end-to-end encryption and authentication systems in 
the public network are available [4], These use a "hybrid cryptosystem" with public key 
techniques being used for key distribution and authentication, and conventional ciphers 
being used for encryption of the speech. There are two basic requirements. One is for the 
secure distribution of the conventional encryption keys (also known as session keys), and 
the second is for the authentication of the participants. 

These protocols are designed to provide a new session key for each connection to 
ensure privacy. These session keys are generated by a random process at each terminal 
and exchanged between terminals using the exponential key exchange technique of Diffie 



526 



and Hellman [7]. The terminals are identified by means of certificates. These certificates 
are prepared by the central key management facility (KMF) using public key signature 
techniques and are unique for each terminal. By exchanging these certificates and verifying 
the signature of the KMF, the terminals are assured of the identity of their correspondents. 
Finally to guard against active intruders in the circuit, challenge messages are exchanged 
between the terminals. Typically the terminal is asked to sign with its private key a 
message sent by the other terminal. An intruder would be unable to respond to such a 
challenge with the needed signature. These techniques can be extended to multi-party 
conference systems and we will briefly outline below a simple key distribution and 
authentication scheme that is suitable for use with the distributed bridge. Note that while 
this description is in the context of an audio conference, the protocols are general and could 
be applied to data or video conferences. Brickell, Lee and Yacobi [3] have also proposed 
authentication protocols for conference calls. The scheme described below provides for 
both authentication and the distribution of conventional crypto keys. This provides both 
privacy and authentication for the conference. 

N-party exponential Key exchange (and challenge messages), 
Broadcast of certificates, 
Responses to challenge messages. 
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Figure 6 - Distributed Authentication 



The key distribution and authentication phase of the conference set up would take 
place at the beginning of the conference before the onset of speech or data communications. 
The process would be repeated each time a party is added to the conference. During this 
set up phase, the conference control unit operates in a broadcast mode so that messages 
sent to it are distributed to all participants. This is illustrated in Figure 6. 

The process for distributed authentication in a conference with n participants is 
divided into six steps as follows: 

1) Each terminal, i, generates a random number xj and calculates the 

exponential yi <— a x i and sends this to the CCU for broadcast to the other 

terminals, (a is the pre-established common base and calculations are performed 
modulo a large prime p.) 

2) Each terminal now has the set of yi. This set can be used to provide an 
order for the terminals. A convenient order would assign the terminals an index 
based on the magnitude of the yi. (Terminal 1 generated the smallest of the yi etc. In 
the unlikely event that two of the yi were equal then the terminals would be expected 
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to submit new values.) The order could also be established by the CCU based on the 
chain topology of the connections. 

3) Each of the terminals will now calculate an exponential of the following 
form : 

X «_ a(*n a 0 *"" 1 a } ) 

Terminals 1 and 2 can calculate X based on their knowledge of the yi and their own 
x{. However, terminals 3 to n require further information to calculate X. This 
information comes in the form of the numbers wi ... w n -i calculated by the terminals 
and broadcast to the other terminals. The terminals proceed as follows : 

Terminal 1 performs the following operations : 
X«-xi, 

for j = 2 to n do the following : 
X f- yj x . 

Terminal i (for i = 2 to n-1) performs the following : 
receive wj-i via the CCU 

(Terminal 2 uses wi <— yi), 

X <— wi-i x i, 

wi «— o;X, 

broadcast wi to all other terminals via the CCU, 
for j = i+1 to n do the following : 

X«-yjX 

Terminal n performs the following operation : 
X <— w n -i x n. 

4) All terminals now share the number X which can be used to derive a 
common session key for the conference. This key would be used to encrypt all 
further transmissions. It is not necessary to use a common session key. The number 
X could also be used by pairs of terminals to form a unique session key for their 
connections. 

5) Each terminal broadcasts (via the CCU) its certificate, and verifies the 
signature on all received certificates. 

6) Each terminal signs with its secret key a suitable hash function of the set of 
numbers yi and broadcasts this (via the CCU) to all other terminals. Each terminal 
verifies the signature of these messages. 

Step 1 requires a total of n broadcast messages. Step 3 requires n-2 messages. 
Steps 5 and 6 each require n broadcast messages. This gives a total of of 4n-2 broadcast 
messages. Note, however, that the certificates and response messages (5 and 6) could be 
combined into a single message for transmission. In this case the total number of 
broadcast messages is 3n-2. The number of exponentiation operations to be performed by 
each terminal for key generation depends on the terminal's location in the sequence. 
Terminals 1 and 2 must perform n exponentiations. Verifying the certificates, and 
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responding to the challenge for authentication would require an additional 2 operations and 
thus a total of 3n exponentiations could be required. Note that this grows linearly with n. 
Once the authentication phase is completed, the conference control unit can switch from the 
broadcast to the chain mode. With this procedure, the authentication process is distributed 
and thus no party need rely on a centralized bridge for the security of the call. However, a 
trusted key management facility is required for the creation of the user's certificates. 

The procedure for adding or deleting parties to the conference will depend on the 
security policy of the participants. Some policies may require a new session key and a 
complete re-authentication of all parties each time the network configuration changes. In 
the simple scheme described above, if a common session key is used, the chain may be 
reconnected (with an appropriate mechanism for crypto resynchronization) when a party 
leaves. An additional party may be accomodated by simply labeling it as terminal n+1 and 
appending its input (yn+i) to the accumulated chain calculation. This would result in a 
new common number X' and a new session key. Changes in the participation in the 
conference can thus be accomodated with a minimum of interruption. 

Thus it is practical to provide a true black bridge for secure teleconferencing in the 
public or other large networks. A wide variety of digital encryption processes can be used. 
The authentication mechanisms can function with many public key systems. Users are free 
to choose whatever system they feel comfortable with. They are also free to change the 
operation of the security system without consultation with the network provider. These are 
significant benefits for the widespread use of and confidence in the system. 

Conclusions 

We have described secure teleconferencing systems which can be operated in the 
public communications network. In these systems, advantage is taken of the fact that clear 
speech must be available at each telephone set for the local participant, and this can be used 
with a distributed conference circuit to provide a multi-party conferencing system. The 
network conference control unit knows the addresses of all the participants but its role is 
limited to providing channel connections and demultiplexing and distributing unaltered 
signals from the participants. The conference unit does not need to know any security 
information. The system can operate with a number of security methods and network 
configurations, and the users are free to select the techniques that they are most comfortable 
with. The system is suitable for implementation in digital networks such as ISDN, and can 
provide extremely high quality and robust operation. 
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Abstract 

Diffie and Hellman proposed a key exchange scheme in 1976, which got 
their name in the literature afterwards. In the same epoch-making paper, 
they conjectured that breaking their scheme would be as hard as taking 
discrete logarithms. This problem has remained open for the 
multiplicative group modulo a prime P that they originally proposed. 
Here it is proven that both problems are (probabilisticly) polynomial-time 
equivalent if the totient of P-l has only small prime factors with respect to 
a (fixed) polynomial in ^logP. 

There is no algorithm known that solves the discrete log problem in 
probabilistic polynomial time for the this case, i.e., where the totient of 
P-l is smooth. Consequently, either there exists a (probabilistic) 
polynomial algorithm to solve the discrete log problem when the totient of 
P-l is smooth or there exist primes (satisfying this condition) for which 
Diffie-Hellman key exchange is secure. 

Introduction 

Let P be a prime and g be a generator of the multiplicative group 
GF(P)*. Let/be an element of GF(P)*. Solving for x 

(1) / = ^modP, 
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is called the Discrete Logarithm Problem (D.L. problem). Until now, no 
general purpose algorithm has appeared that computes x mod P-l in 
probabilistic polynomial time (see [Odl]). In [Poh], an algorithm is given 
which solves the D.L. problem in polynomial time for the case where all 
prime factors of P-l are smaller than some constants. The time remains 
polynomial if we take B = qi^logP), for some fixed polynomial q(.). 
Numbers with this property will be called smooth( with respect to P and 
<?)• 

Based on the difficulty of solving the general D.L. problem a key 
exchange protocol is proposed in [DH]: The first step is to establish a prime 
P and a generator g of GF(P)* common for all participants. Each party 

j chooses randomly a secret number zj and computes _/y = g 1 ). The/y 
are made public. The public numbers are sufficient to establish a secret and 
common key for each pair of participants. For example let us assume that 
the first party has secret x and computed 

(2) f]=gXmodP. 

and similarly the second party has secret y and computed 

(3) f 2 = gy mod P. 

The first party computes /2 x and the second party computes//)'. 
Thus both parties obtain 

(4) f 3 = gxy mod P, 

which they can use as a common secret key. For a passive eavesdropper to 
determine this key, he must find/j satisfying (4) with suitable x and y 
satisfying (2) and (3) where the gathered data is just 

(P.8/1/2)- 

This problem will be called the DM. problem. An obvious way to solve it 
is to solve a D.L. problem with input (P,gfi) and then to use the output x 



532 



to compute/? by/3 =f2 x - The critical question is can/j be found 
without obtaining (much) information about x or y in the process. In 
[DH] the authors conjecture that solving x or y is basicly the only way to 
solve the D.H. problem. More precisely they conjecture that the D.H. 
problem is hard if the D.L. problem is hard. A sufficient way to prove this 
is showing there exists an algorithm to solve the D.L. problem comprising 
of a (probabilistic) polynomial number of calls to an algorithm which 
solves the D.H. problem (here after called a D.H. oracle) and a 
(probabilistic) polynomial number of "elementary" operations. 

In this paper we present such an algorithm for the case where the totient 
of P-l is smooth with respect to P and q(. ). In the literature no 
probabilistic time algorithm 9t exists to solve the D.L. problem for primes 
P for which the totient of P-l is smooth (notice that P-l itself has to be 
smooth for Pohlig-Hellman algorithm to be polynomial-time, see[Poh]). 
From our design follows that either such an algorithm 1R exists or primes 
P exist for which the D.H. problem is hard. In the latter case primes P 
for which the biggest prime factor of P-l is bigger than P e for some 
fixed positive real number e serve as candidates (while the double totient 
of P is smooth). 

Main idea 

Let B be a number which depends polynomially on the logarithm of 
P. It always holds that P-l has a unique factorization MN, where the 
prime factors of M are smaller than B and the prime factors of N are 
bigger (or equal) than B. Assume also that the totient of P-l is smooth. 
Given a generator g of the multiplicative group modulo P and a member 
/of that group we are interested in solving x from (1). It suffices to 
compute x modulo M and x modulo N and use them in a Chinese 
Remainder Algorithm. A solution z of the equation 



f N = g zN modP 
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is equal to x mod M. This number can be computed in polynomial time 
with techniques similar to Pohlig-Hellman[Poh]. 

Replacing N by M in the last equation and solving the new equation 
would give us x modulo /V . At this moment it is not (publicly) known 
how to solve this in polynomial time. What we do is exploiting the 
D.H.oracle to solve that new equation. Because the totient of P-l is 
smooth, each prime factor QofN appears with multiplicity 1 (otherwise 
Q would be a prime factor of the totient of P-l) and moreover it holds 
that Q-l is smooth. We proceed computing x modulo N by computing 
x modulo Q for each prime divisor of N. 

This algorithm requires a generator h of the multiplicative group 
GF(Q)*, which can be found in probabilistic polynomial time, [Riej (in a 
practical setting h is already constructed while constructing the big prime 
P). Either x = 0 mod Q or x = W mod Q for some y. The first 
possibility appears iff ft- = 1 mod P, where LQ = P-l =MN. In this 
(unlikely) case we are lucky, having found the answer (x mod Q) already. 
In the other case we proceed by computing the unknown y mod Q-l. 

To compute y it is sufficient to compute y modulo any prime power 
divisor of Q-l because we can combine these answers with the Chinese 
Remainder Algorithm to get y modulo Q-l. We will only show how to 
compute y modulo a prime divisor p of Q-l . 

Let / be (Q-l )/p and compute U = . This can be done by less 
than 2 ^log(l) calls to the D.H.oracle. This indeed can be done because on 

input (g, the D.H.oracle should output . Next one 

computes ifl- and compares this with g^^ a for 0 < a < p . There is 
bound to be equality for one of the choices of a and for this a it holds that 
a - y modulo p . 

The above mentioned equality occurs because it is equivalent to the 
equality Lhyl = Lh°l mod P-l and this is equivalent to the equality 
hyl = h a l mod Q. This last equality is equivalent to yl = al mod Q- 
1 and finally this is equivalent to y = a mod p. 

Combining these answers for all prime divisors of Q-l with the 
Chinese Remainder Algorithm we get a solution for y mod Q-l and we 
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compute x = hy mod Q. Repeating this for each prime divisor Q of N 
and using the the Chinese Remainder Algorithm again we establish x mod 
N. Combining this with the already established value for x mod M we 
have arrived at the solution of equation (1). In the actual algorithm in the 
next section we do not mind about multiplicities of prime factors and we 
will also exploit the birthday attack. Furthermore we solve y modulo Q-l 
without the Chinese Remainder Algorithm. 

The main algorithm 

In what follows we describe our algorithm to solve the D.L. problem 
,an algorithm which is allowed to make a polynomial number of calls to a 
D.H. oracle and a polynomial number of elementary steps. At the end of 
this section we will be specific about these numbers. 

Let q(.) be a fixed polynomial. Let P be prime and P-l = MN, 
where M, resp. N has small, resp. big prime factors with respect to 
B = q(log(P)) (like in the previous section). We want to solve equation 
(1). We already remarked that solving x modulo M can be done in 
polynomial time. In practical settings we can assume that the factorization 
of N is given (otherwise finding a generator modulo P would be 
difficult). If the factorization of N is not given we can find the factors of 
N in probabilistic polynomial time using Pollard-p-7 method [Pol] in an 
adapted form (details left to the reader). As we remarked in the previous 
section N is squarefree. 

Let Q be prime divisor of N. We will establish w defined by x 
modulo Q. Let us define L =(P-1 )/Q. The algorithm to compute w 
requires a generator h of the multiplicative group GF(Q)*, which can be 
found in probabilistic polynomial time, [Rie] (in a practical setting h is 
already constructed while constructing the big prime P). Either w - 0 
mod Q or w = hy mod Q. The first possibility appears iff/^ = 7 mod 
P. In this (unlikely) case we are done. In the other case we proceed by 
computing the unknown y mod Q-l . 
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Now we will describe the residues which has to be computed in our 

algorithm. Given is the factorization Q-l = I~[p . , where 
Pi andp k <B. Define for j = (-1 ),(0),1 ,...,k-l ,(k) 

nj=(Q-l)lpj+l , 

k 

Dj= Tbi 

J i=j+2 ' 

%; - ' . 

// 

Uj = g* J modulo P, 

*bj = (Pj+l - brj+])mj and 

T bj= 8 Lhtbj modulo P 
forO <b^( Pj /rj)i 

S a j = h am J modulo Q for 0 < a < rj, 

yk-i = 0 > 

C; = h y i l J modulo Q. 
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The algorithm starts with computing Uj + j from Causing the D.H.oracle. 
All intermediate Uj have to be stored. The residues Tfy need to be stored 
for each different prime divisor pj of Q-l. The residues S a j may need to 
be stored (especially if is a divisor of Q-l). We compute zj starting 
with j = k-1 down to 0 and yj starting from j = k-2 down to -1 as 
follows. For j = k-1 down to 0 we search for a and b for which the 
equation 

(5) (Uj C f) Sa i = T bj 

holds. Define zj by a+brj + j and yj.j by yj+zjDj. Equation (5) always 

has a solution and finally we can compute w because it is equal to iP" ^ 
modulo Q. 

Now we will briefly sketch why this algorithm computes x mod Q. 
After we checked that Q does not divide x we may assume that 
x = biy + Qr mod MN for some y and r. By induction we will show that 
y +yi = 0 mod D; for i = k-l,...,-l. 

This is trivially true for / = k-1. Consider the left side of (5). This is 
equal 

g (h y + Qrfj h y j L h am ) . 
The exponent can be written as 

+ Qt)h?hlh am ) 
for some t. The right side of (5) is equal to 

g Lh<Pj+l ' br J+l{ 
Equality (5) holds iff the exponents are equal mod MN. This holds iff 
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$ l j + yj l i +a m J =h<Pj+l ■ b r J+l )m j mod Q. 
This last equality holds iff 

(6) lj(y + yp + a mj = {pj + \ - b rj+j) mj mod Q-l. 

Under the induction hypothesis y + yj = c Dj for some c. Because IjDj 
equals mj equation (6) holds iff c + a = pj + \ - b rj+j mod Pj+1- Because 
of the chosen range for (a,b) such an equality will occur. For this pair 
(a,b) we define zj = a + bj and yj.j = yj + zj Dj. Now it holds that 

y + yj-i =y + yj + ( a+ b r ]+i) D j = 

= (c + a+brj+i)Dj = 
= 0 mod pj+i Dj. 

Because pj+j Dj = Dj.], this proves our induction step and ends the 
sketch of the proof. 

We repeat this algorithm for each (big) divisor Q of N and use the 
Chinese Remainder Algorithm to find x modulo N. After that another 
combination with x modulo M establishes the solution x (modulo P-l) 
of our original problem (equation (1).) 

In the following theorem we assume that the factorization of P-l is 
given and also that generators of the multiplicative groups GF(Q)* are 
given for each big prime factor Q of P-l. Furthermore we require that 
the D.H. oracle gives the right answer for each question. 

Theorem : An algorithm to solve the D.L. problem for a prime P 
for which the totient of P-l is smooth with respect to P and q requires 
order hg^(P) calls to the D.H.oracle and order log^(P) J q(log(P)) 
multiplications. This algorithm requires order log^(P) ^Jq(log(P)) of 
bits of memory space. 
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The first two assumptions of the three assumptions in the paragraph 
just preceding our theorem can be dropped and we still have (probabilistic) 
polynomial-time equivalence. This is also the case if we weaken the last of 
the three assumptions (because of the algebraic structure we can construct 
"majority answers"). 

Conclusion 

At this moment no efficient algorithm to compute the Discrete 
Logarithm is known for the case where the totient of P contains a prime 
factor bigger than P e , where e is some fixed positive real number. So we 
could safely use a Diffie-Hellman key exchange for the subcase where the 
biggest prime factor of the double-totient is smaller than some fixed 
polynomial in the logarithm of P 

An interesting property of our algorithm to solve the D.L. problem 
using a D.H. oracle is that it mimics the algorithm to solve the D.L. 
problem in polynomial time without a D.H. oracle for the case where P-l 
itself is smooth. It is conceivable that a polynomial-time algorithm to solve 
the D.L. problem for the case where the totient of P-l (the double totient 
case) is smooth may enable us to design an algorithm to solve the D.L. 
problem in the triple totient case in polynomial time and a polynomial 
number of calls to a D.H. problem. If this goes on for higher and higher 
totients we at last have proved that either the general D.L. problem has a 
polynomial-time solution or there exists primes for which the D.H. 
problem is hard. 
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Abstract. A secret error-correcting coding (SECC) scheme is one that pro- 
vides both data secrecy and data reliability in one process to combat with 
problems in an insecure and unreliable channel. In an SECC scheme, only 
the authorized user havingsecretly held information can correct channel er- 
rors systematically. Two SECC schemes are proposed in this paper. The first 
is a block encryption using Preparata based nonlinear codes; the second one 
is based on block chaining technique. Along with each schemes can be 
secure. 
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1. Introduction 

The demand for reliable, secure and efficient digital data transmission and 
storage system has been accelerated by the emergence of large-scale and high 
speed communication networks. In 1948, Shannon demonstrated that errors 
induced by a noisy channel or storage medium can be reduced to any desir- 
able level by proper encoding of the information [Shannon 48]. Since 
Shannon's work, a great deal of developments have contributed toward 
achieving data reliability and the use of coding for error control has become an 
integral part in the design of modern communication systems and digital com- 
puters. 

Information transmitted through communication channel or stored in 
storage system is particularly vulnerable to eavesdropping and tampering. 
Although information can be protected by several ways (e.g., physical control 
— data are stored in physically secure place; or computer system control — the 
operating system provides access control mechanisms to check user's authenti- 
cation), data encryption is the most cost-effective way to provide data secrecy 
[Dime 76, Wood 81, Denning 82). 

As computer communications are expanding to many applications, 
assurance of both data reliability and data secrecy becomes an important 
issue. To achieve this purpose, conventionally the first step is to encipher a 
plaintext (M) into a ciphertext and the second step is to encode the ciphertext 
into a codeword (C). To recover the plaintext (M), the receiver decodes the 
received word (C = C + noise) first and then deciphers the ciphertext (see 
Figure 1.) Combining these two steps into one may obtain faster and more 
efficient implementations. 
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Fig. 1 Conventional approach for data reliability and data secrecy. 



1.1 Joint Encryption and Error Correction (JEEC) Scheme 

In his public-key cryptosystem, McEliece applied error-correcting capability of 
Goppa codes to provide data secrecy [McEliece 78]. His idea is to introduce a 
random error vector to each encoded plaintext before transmission. The 
Hamming weight {t' ) of the error vector is equal to the number (t) of errors 
the code can correct. Therefore, the receiver can remove the error vector and 
recover the plaintext by applying the decoding of the code. 

If (' <t, then up to t-t' errors may occur in the channel and these 
errors can be corrected by the receiver. Thus, the system provides both data 
secrecy and data reliability simultaneously. Since the system becomes less 
secure if t' is small but provides less error correcting capability if t' is large, 
there is a trade-off between data secrecy and data reliability. This approach, 
to obtain both data secrecy and data reliability while providing a trade-off 
between them, is called the Joint Encryption and Error Correction (JEEC) 
scheme [Rao 85]. 

Definition 1. The JEEC Scheme 

A scheme that combines data encryption with data encoding into one process 
while providing a trade-off between data secrecy and data reliability is called 
a JEEC scheme. 
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1.2 Secret Error-Correcting Codes (SECC) 

Conventional approach to obtain both data reliability and data secrecy has the 
disadvantage of inefficiency in the implementation because data encoding and 
data enciphering are implemented as two different steps. JEEC scheme combines 
both transformations into one process while providing only a trade-off between 
data reliability and data secrecy. Large distance and also large block length 
codes are required in JEEC to combat with problems in an insecure and unreli- 
able channel. However, such codes have low information rates and a relatively 
high amount of decryption overhead. Therefore, they may not be cost-effective. 
This leads us to introduce the SECC scheme which may use simple algebraic 
codes (e.g., d^^s) and also provides both data reliability and data security in 
one process. The SECC scheme can be denned as follows (see Figure 2). 

Definition 2. The SECC Scheme 

A scheme that combines data encryption with data encoding into one process 
to obtain both data secrecy and data reliability, while retaining the full 
error correction capability of the introduced code for possible channel errors, 
is called an SECC scheme. Also in an SECC scheme, the cryptanalyst is 
unable to correct channel errors systematically. By that we mean it is com- 
putationally infeasible for the cryptanalyst to correct channel errors without 
decoding keys. 
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Fig. 2 The SECC scheme 



Note that JEEC scheme preserves only partial error-correcting ability, 
whereas SECC scheme preserves full error-correcting ability of the code. 
Therefore SECC scheme can provide better error correcting capabilities than 
JEEC does under the use of the same algebraic codes. In a noisy channel, 
before the plaintext can be recovered the cryptanalyst has to correct channel 
errors (if any) first. If he cannot correct these errors, then he cannot also 
recover the plaintext. This is because any uncorrected error in the received 
ciphertext C will only generate an M' totally different from the plaintext M 
(due to the so-called "Avalanche effect" in any good cryptosystem.) Therefore, 
the presence of noise errors would only increase the security of the system. 
However, the strength of an SECC system should not depend on the presence 
of channel errors because they are random in nature. On the other hand, in a 
conventional system since the coding scheme is public, the cryptanalyst is able 
to correct channel errors. Therefore, the presence of channel errors doesn't 
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increase the security of the system. We will study an SECC scheme using 
nonlinear codes in Sec. 2 and an SECC scheme using block chaining technique 
in Sec. 3. Along with each scheme discussed, we investigate various cryptana- 
lytic attacks to show how the scheme can be secure. 

2. SECC Scheme Using Nonlinear Codes 

Nonlinear codes with high degree of nonlinearity and whose decoding highly 
depends on the structure of the codeword, are particularly promising to con- 
struct SECC systems. In this section, we investigate Preparata-based non- 
linear codes to construct SECC systems. Nonlinear codes, such as Vasil'yev 
nonlinear codes [Vasiryev 62] which have only one nonlinear bit in each code- 
word, are not very useful in this application. We begin with a brief introduc- 
tion to Preparata codes. Then, we review a code construction technique to 
construct nonlinear codes with large minimum distances from old codes. 
Finally, we propose an SECC scheme using nonlinear codes and investigate its 
security level. 

2.1 Preparata Nonlinear Codes [Preparata 68] 

Preparata has constructed a class of nonlinear double error-correcting 
(2™ -l, 2 m -2m ) codes, for each even m >4, with some interesting features. 
They contain twice as many codewords as the double error-correcting BCH 
codes of the same length and they are optimal. Moreover, their decoding can 
be based on the calculation of syndrome-like quantities and thus the complex- 
ity is comparable to the corresponding BCH codes. The encoding and decod- 
ing are given here without proof. However, they can be found in [Preparata 
68]. 
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Assume that all polynomials discussed here belong to the algebra of poly- 
nomials modulo (z 2 "" ,_1 + l) over GF(2). Let B= {m(z)} be a single-error- 
correcting BCH code generated by a primitive polynomial ?i(x) of degree m-i 
that has a primitive element a as its root. Let C = {«(*)} be the BCH code 
whose generator polynomial has roots or, a 3 , and l. The polynomial u(z) will 
denote (z 2 """ 1 " 1 + i)/(z+i). Consider a linear code C, given by the vectors of 
the form 

v = [m(z), i, tn(z)+(m(l)+i')ti(x)+*(x)], where i€GF{2). 

C K can be shown to be a (2"*-l, 2 m -3m+l) linear code of minimum distance 6. 

Let 4>{x) = (z 2 "" 1 " 1 + l)/?,(x). Then, there exists an a (o<* <2""" 1 -2) such 
that z'd(x) = (x'o{z)) 2 . Let / (z) = x' <j>(x) and q(x) be a monomial of degree 
less than or equal to 2 m ~ l -2. m(z), s(x), i, and ?(z) are independently chosen. 
Then, the code K„ of the form 

w — [ m ( 2 ( r ) t i, m [ x ) +q ( x )/ ) + ( m (!)+,' ) u ( x )+, (j )] 

is an (n,k) — (2 m -l, 2 m -2m ) Preparata nonlinear code of distance 5. To 
encode a (2 m -2m}-bit information, the first (2 m ' l -m) bits are encoded into 
m(z); the next (2 m ~'-2m) bits are encoded into *(x); the following one bit is 
interpreted as t and the last (m-l) bit are encoded into ?(r). 

For decoding, assume that the vector w was sent and that the vector 

r = koU). ' , r,(z)j = W + [e a (z), e, e ,(z )] 
is received. Given the following definitions 
H x = a - m ' 1 - 2 , a- m ' 1 ^, ■■■,<* ,i\ 
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H 3 = [(a*) 3 *- 1 - 2 , (a 3 ) 2 """ 3 (a 3 ), 1] 

U = [1, 1, 1] 

the syndrome S = (o-q, <t 1( <t, << ) of r can be computed in the following manner. 

"o = '"o(*)#i r = a a* + eo(o) 
"j = r ii x )Hi T — <* a * + e t( a ) 
«r-(rB(x)+ r,(z))tf s r = .^(W+'W 
= r + r,(z)?/ r = «+e,(l) 

where g(z) = az' is the monomial in the codeword. 

Let p = a + (<r 0 + (Ti) 3 . If p = cr y 3 (; = 0,l) and rf =0, then r is a member of 
the nonlinear code. If the above condition is not true, then let c = 
(e 0 (z), e, c,(i)] be the "correction" vector that can be added to r to get the 
codeword w. The vector c can be found by the following rules, if is taken 
modulo 2. 

Rule 1: If p==<t ; - 3 and pj£<7 j+l then e ;+1 (i)=z* where a* = <j 0 + a x and 
c = d + 

If pj^vj, then we have the following rules. 

Rule 2: If i = l then e =0 and Cj{x) = x 1 where 

Rule 3: If = 0 and oq+o^Q then set c = o, c y (z) = o, and 
e /+i(*) — + *** where a* 1 and a*° are the solutions of 
z 2 +{a 0 + o x )z + (p + o- ; 3 )/(<To+<r,) = 0 

Rule 4: If d = 0 and cr 0 + <7i = 0 then r is at a distance > 3 from any 
codeword. 
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If Preparata codes are to be used in the cryptosystems, then the only practi- 
cal values of m are 6, 8 and 10. Therefore, the codes that will be considered here 
are (63, 52), (255, 240) and (1023, 1004) Preparata codes. 

2.2 Construction of New Code From Old Codes [Mac Williams 77] 

We have given a very brief introduction to Preparata nonlinear codes which can 
only correct double errors. In this section, we review a code construction tech- 
nique to construct nonlinear codes that can correct more than two errors. 

Let K, be an (n,- , N { , rf,- ) code where n,- is the code length, N { is the number 
of codewords and d t is the minimum distance between any two codewords of the 
code (l<«'<2). A new code K* can be constructed from both K, and K 2 , called 
the base codes of K* here, as follows. 



where E, is the encoding of K, and M={M lt M 2 ) is a plaintext block which is 
divided into two subblocks M x and M 2 over GF(2). Then, K" is a 
(2(max {n ,, n 2 }), N^N^ d =min {2d u d 2 }) code [MacWilliams 77], If n,=^n 2 , then 
enough zeros can be added to the end of the shorter code. Note that K' is a 
linear code if and only if both K, and K 2 are linear codes, otherwise it is a non- 
linear code. This procedure can be iterated to construct nonlinear codes with 
large minimum distances. Here, we suggest the use of Preparata codes as base 
codes to construct new nonlinear codes, or we assume that either K, or K 2 or both 
are nonlinear codes constructed from Preparata codes. The decoding of the 
newly developed code is rather straightforward and is omitted here. 
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2.S Encryption and Decryption of SECC Scheme Using Nonlinear Codes 

The SECC scheme using nonlinear codes is a block encryption and error correc- 
tion combined into one that also preserves the full «rror correction capability of 
the code for possible channel errors. Each block is enciphered and deciphered 
independently under this scheme. 

Encryption 

Let E K . denote the encoding of a nonlinear code that encodes a fc -bit information 
into an n-bit codeword. Let * be an invertible function that transforms a Jfc -bit 
block into a Jfc -bit block in either a linear or nonlinear manner. The matrix P is a 
random permutation matrix of size n . A i-bit plaintext block (M) is enciphered 
into an n-bit ciphertext (c) by the following equation 

C =E K .(*(M))P. (1) 
The cryptographic parameters that are secretly held in the system are *, P 
and E^... Since ciphertext-only attacks are much weaker attacks than known- 
plaintext or chosen-plaintext attacks, constructing a cryptosystem which can 
withstand ciphertext-only attacks is considered to be much easier than construct- 
ing a cryptosystem which can withstand either known-plaintext or chosen- 
plaintext attacks. In the proposed scheme, we assume that the function * can 
withstand ciphertext-only attacks and may be broken by a known-plaintext 
attack. Hence the security of the scheme should depend on the strength of the 
combination of functions *, E* and P and not on the strength of either * or E* 
or P alone. This also illustrates the difference between SECC and the conven- 
tional approach to provide both data secrecy and data reliability. 
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Decryption 

Let D^. be the decoding of the nonlinear code and be a correctable error vec- 
tor which occurs due to channel noise when the t'-th ciphertext block is transmit- 
ted. The deciphering procedure is given below. 

(1) Remove the permutation matrix P (P r is the transpose matrix of P). 
(C+£,-)-P r =E /c .(*(AO)+EvP r . 

(2) Decoding. 
D if .(E x .(*(M))+E,P r ) = 

(3) Recover the plaintext M . 
M = *"'(*(M)). 

Notice that the error-correcting capability of the code is fully preserved to correct 
channel errors {E t 's) as a property required in an SECC scheme. Since the decod- 
ing of Preparata codes highly depends on the structure of the codeword, cryp- 
tanalyst cannot correct channel errors without knowing the matrix P. This is 
another property required in an SECC scheme. 

2.4 Security of SECC Scheme Using Preparata-Based Nonlinear Codes 

We have discussed both the enciphering and deciphering of the SECC scheme 
using Preparata-based nonlinear codes. What remains to be studied is the secu- 
rity of the scheme. For simplicity we investigate the security of the SECC 
scheme using Preparata codes mainly. The security of the SECC scheme using 
extended nonlinear codes follows directly. Let E p and D„ represent the encoding 
and decoding of a Preparata code respectively. 

As we mentioned earlier that the function * can either be a linear or a non- 
linear transformation. If the system using a linear function * could provide an 
acceptable level of security (=s 2 60 operations), then the system could provide even 
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a better security if * is a nonlinear function. 

First, we consider the case that both * and P are removed from the original 
scheme. In the following lemma, we shall show that the simplified scheme can be 
broken by a known-plaintext attack. For this discussion, we assume that no 
error occurs in the channel. 

Lemma 1. 

The encryption scheme 
C =E„(M) 

can be broken by a known-plaintext attack in Ofn 2 ) bit operations. 
<Proof> 

The generator polynomial g ,(z ) can be derived from a pair of plaintext and 
ciphertext as follows. The cryptanalyst obtains q(x) from the last m-l bits of the 
plaintext. Hence, m(z) can be computed from the first part ^""'-l bits) of the 
ciphertext. Subsequently, he can derive g^x) from m(x) and the first (2"" 1 -m ) 
bits of the plaintext under a known-plaintext attack. Obviously, this requires 
only 0(n' t ] bit operations. 

Q.E.D 

Let N(g{) denote the number of primitive polynomials (^(z^s) in a class of 
Preparata codes of a given code length (n). Then, N(g x ) can be computed by the 

formula N( Sl )=[iI= — ZLL], where 9 is the Euler totient function and m-l is the 
m —1 

degree of the primitive polynomial g[(x). Therefore, we have 
N(g l )=2 if n =15, 
W(?i)=6 if n=63, 
N(?i)=18 if n=255, 
/V(?i)=48 if n=1023. 
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The number of choices of the primitive polynomials ji(z)'s in Preparata 
codes of practical lengths is too small for the simplified scheme to be secure. 

We may introduce a secret, linear function * to scramble the plaintext 
before encoding. However, the modified system is still insecure under a chosen- 
plaintext attack as can be shown in the following lemma. 

Lemma 2. 

The encryption scheme 
C =E,(*(M)) 

can be broken by a chosen-plaintext attack in 0(n 2 ) bit operations. 
<Proof> 

Let Mj, M 2 and A/ 3 be the three plaintext blocks to be enciphered in the sys- 
tem where Mi=M 2 +M s . Let C h C 2 and C 3 be their ciphertexts respectively. 
Then, 

C,+C 2 +C s = (?i(*)+? 2 (*)+? 3 (z), 0. 7i(*)/ (*)+?*(*)/ (*)). 

I) 

where ?,•(*) is a monomial whose power^is taken from the decimal equivalent of 
the last m-i bits of the scrambled plaintext *(A/,). Let q { [x)=0 if ;=2 m " l -l. 
Consequently, / (r) can be derived from the first 2 m ~'-l bits and the last 2 m ~ I -l 
bits of the ciphertext in 0(n 2 ) bit operations. Once / (x) is obtained, g^x) can be 
derived easily (see Sec. 2.1). Therefore, the security of the system totally 
depends on the strength of the function * which, unfortunately, can be broken 
by a known-plaintext attacks as mentioned previously. 

Q.E.D. 

The simplified scheme in Lemma 2 is insecure because the structure of the 
code is revealed. Therefore, the cryptanalyst can remove the linear component of 
the codewords and then break the system. In order to avoid this weakness, a 
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permutation matrix may be introduced to scramble the structure of the code. 
However, the following lemma shows that the modified scheme can be broken by 
a chosen-plaintext attack if the function * is not introduced to the scheme. 

Lemma 3. 

The encryption scheme 
C =E„(M)P 

can be broken by a chosen-plaintext attack in 0(n 3 ) operations. 
<Proof> 
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be a matrix of plaintexts. 



(2™- 1 -l)X(2"-2n 



Let M{ (l < « <2 m_l -i), the i-th row in M, be the »'-th plaintext to be enciphered in 
the system. Let C w denote the matrix of ciphertexts of M. Then, the following 
relation holds where T w is the matrix of codewords of M encoded by the 
Preparata code. 



T«-P = 



0 0 

0 0 

1 0 



010 / (i) 
• 10 0 x l f [x] 



(2™-l-[) x (2'"-l) 



• 0 0 0 x 2 - 2 f(x) 

Notice that the columns in the matrix T w are all distinct. Therefore, by 
trying all possible / (x)'s (i.e., iV(j,) of them), the cryptanalyst can obtain both 
the function / (x ) and the permutation matrix P used in the system. The work 
factor of this attack is dominated by the overhead of enciphering 2 m ~'-l chosen 
plaintexts, i.e. 0(n 3 ). 

Q.E.D. 

From these lemmas, we see if both the function * and the permutation 
matrix P are introduced to the system as a portion of the key, then these attacks 
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cannot break the resulting scheme. 

Since there are only a small number of primitive polynominals for a given 
code length n , the cryptanalyst may try to guess the generator polynomial g i(x ) 
used in the system. However, the work factor to check the correctness of each 
guess involves a very large amount of overhead to figure out both functions ♦ 
and P. That is a hopeless task. 

The SECC scheme using Preparata codes is a block encryption and error 
correction combined into one that also preserves the full error correction capabil- 
ity of the code for possible channel errors. This is a major distinction from 
McEliece's scheme, which has no error correcting capability or has only a partial 
error correcting capability when used as JEEC. While somewhat simpler SECC 
schemes given by Lemmas 1-3 are shown to be breakable under known-plaintext 
or chosen-plaintext attacks, the proposed scheme with both functions of * and P 
appears to be secure. It would be a challenge indeed to find cryptanalytic attacks 
to break this scheme. 

These attacks are performed under the assumption that there is no error 
occurs in the channel. If there exist channel errors, then it will be much more 
difficult to perform these attacks against the SECC system. Therefore, the pres- 
ence of channel errors introduces additional level of data security to the system 
as required in an SECC scheme. 

There are several types of cryptanalytic attack against algebraic-code cryp- 
tosystems discussed in [Rao 87, Struik 87]. These attacks are performed based on 
the linearity of the system. They will not be applicable for this nonlinear coding 
scheme. 
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3. SECC Scheme Using Block Chaining Technique 

In this section, we proposed an SECC scheme based on block chaining technique. 
In this scheme because each ciphertext is a function of all previous plaintexts, 
decoding error of one ciphertext will propagate all the way through the last 
block. This "error propagation" property can be applied to detected any illegal 
modification to the ciphertext thus provides data integrity [Meyer 82]. Therefore, 
this scheme can provide not only data reliability and data secrecy but also data 
integrity in one enciphering. But any decoding error requires the retransmission 
of all blocks chained together. 

8.1 Encryption and Decryption of the Proposed Scheme 

Rao and Nam have suggested a private-key algebraic code cryptosystem ( Rao- 
Nam scheme) using simple linear codes [Rao 87]. By simple codes we mean small 
distance codes, .i.e. dmi,,^. In this scheme, a it -bit plaintext block M, is enci- 
phered to an n-bit ciphertext block C,- by the following equation. 
C,=(A/,SG+Z,)P, 

where 

S : an arbitrary (it xk) nonsingular matrix, 

G : an (n , k ) code generator matrix, 

P : a random (n xn ) permutation matrix, 

Zi : an error vector of length n randomly selected from a predetermined 
syndrome-error table. 
S, G and P are private keys. 

Struik and van Tilburg proposed chosen-plaintext attacks (ST-type attacks) 
on Rao-Nam scheme. Their attacks are based on estimating the rows of the enci- 
pher matrix G' =SGP by constructing unit vectors from the chosen plaintext or 
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by solving a set of linear equations [Struik 87]. They also proposed a modified 
scheme to withstand these attacks. In their modified scheme, the matrix S in 
Rao-Nam scheme is replaced by an invertible, nonlinear function / such that 
M { =/"'(/ {Mi,Zi),Zi). In the modified scheme, M,- is enciphered into C, by the fol- 
lowing equation. 

C,=/ (M i ,Z i )GY>+Z i . 

These schemes are proposed mainly for providing data secrecy. They are not 
designed to realize JEEC or SECC and therefore do not provide data reliability. 
However, by modifying the way the error vectors (£,'s) is introduced, an SECC 
system can be constructed. Block chaining technique will be applied to facilitate 
this construction. The proposed system is described below and is shown in Figure 
3. 

Encryption. 

The cryptographic parameters (that are secretly held) for this scheme are 

/ : an invertible, nonlinear function which transforms a Jb -bit block to 

a Jt-bit block, 
G : an (n , k ) code generator matrix, 
g : a A -bit to n-bit block expanding function. 

The following symbols are used for this scheme. 
Xi : the i-th output of / , (i=i,2,...). 
Zi : the i-th error vector, Z i+l =g (X< ). Z x is a correctable 

error randomly generated by the system. 
E t : error vector due to channel noise occurs when the i-th block is 

transmitted. 
C, ' =Ci+Ei is the i-th block received at the 
receiver end. 





Ci 



(Receiver) 



Fig.3 SECC Scheme Using Block Chaining Technique 
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D : the decoding of the introduced code. 

S : a one-cycle delay register used to store X,- . 

The data stream consists of ir -bit blocks M\, A/ 2 , - • M t . At time 1, the first 
plaintext M l is transformed into X x by the function / . Then, X x will be 
stored at the register 6 and also encoded by G simultaneously. Before the first 
codeword X t G is sent to the receiver, a randomly generated errors Z u that 
can be corrected by the code, is added to the codeword Xfi. The result, 
C 1 =X 1 G+Z 1 , is the first ciphertext transmitted to the receiver. At time •', the 
plaintext M ( is exclusive-oring with X,-., taken from the register S. Then, 
Xf =/ (Mi+Xi.i) is computed and stored at 6. At that time, Zi=g{Xi.\) is also 
computed. After X f G is obtained, the ciphertext C.^X.+Z,- can be con- 
structed. In general, the encryption sequence is given as follows. 
C,=/ (Af.JG+Z,, 

C 2 =/ {M 2 +X l )G+Z 2 , (X t =/ (A/,), Z t =g (X,)), 
C 3 =f (M S +X 2 )G+Z 3 , (X2=/ (Afj+X,), Z 3 =? (X 2 )), 

C,=/ (Mt+X^G+Zt, (X ( .,= / (A/i-i+X,_ 2 ), Z-iW.J). 

Due to the block chaining feature, the same plaintext blocks will be enci- 
phered to different ciphertexts. Therefore, the cryptanalysis would be more 
difficult. Since the ciphertexts are not codewords, the cryptanalyst cannot 
construct a combinatorially equivalent generator matrix of the code from the 
ciphertexts. Therefore, he cannot correct errors systematically as required for 
an SECC scheme. 

Decryption. 

Here, we assume that the receiver could synchronize with the sender on the 
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sequence of vectors X and Z { added to both plaintext and the corresponding 
codeword respectively. Furthermore, we assume that the decoding is correctly 
carried out. The decryption sequence is given below. 

D(cy )=X l =f (A/i), f-\X x )=M u 

D(<7 2 ' + g (X^X^f (Mj+X,), / - l (Jf a )+Jf,— iWf a , 

D(C, ' +g (AJ _,))-* =/ (M, +X, ), / - { (X t )+X,. l ^M, . 

Because the errors introduced deliberately at the sender end can be removed 
at the receiver end by this synchronization, the error-correcting capability of 
the code is fully preserved for possible channel errors. By this chaining 
feature, errors due to intruder's tampering which cannot be corrected by the 
code will propagate all the way through the last block. However, this may 
serve as a checksum to detect illegal modification to the ciphertext by the 
intruder [Denning 82]. Hence the proposed scheme provides not only data 
reliability and data secrecy but also data integrity (data authenticity) [Meyer 
82]. That is, the SECC scheme using block chaining technique can provide 
two levels of error control. The first level is the correction of channel errors; 
the second level is the detection of uncorrectable modification to the cipher- 
text by the intruder. But, the presence of such errors requires the retransmis- 
sion (or reenciphering) of all blocks chained together. 

3.2 Security of the Proposed SECC Scheme 

If we define errors in one block of binary information as the bits different 
from the original block sent by the sender, then both channel errors and 
intruder's tampering are regarded as errors. However, the manner of the 
errors introduced by channel noise is different from that of intruder's 
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tampering. The errors introduced by intruder's tampering are primarily mul- 
tiple errors. In binary symmetric channels, the probability of multiple ran- 
dom errors is very small [Lin 83]. Algebraic codes are designed for correcting 
random errors due to channel noise. They are not designed to correct multi- 
ple errors due to intruder's tampering. In the presence of multiple errors, 
erroneous decoding might occur. Consequently, to combat with problems in 
an insecure and unreliable channel, a scheme which is capable of hiding infor- 
mation, correcting channel errors and also detecting any illegal modification 
to the ciphertext is desirable. The SECC scheme based on block chaining 
technique could provides these characteristics and hence is very useful in an 
insecure and unreliable environment. 

The SECC scheme withstands ST-type chosen-plaintext attacks because 
of the plaintext is transformed by a nonlinear function / before encoding and 
also because of the chaining feature. This prevents the cryptanalyst from 
constructing unit vectors from the chosen plaintexts to derive G. 

Simplified versions of the SECC Scheme 

To show how this scheme provides a high level of security, we may consider 
two simplified versions of the original one. First, if X, , the output of / , is fed 
forward to the function j only (i.e., X,- is not fed back to / ), then the encryp- 
tion sequence is given as follows. 

(7,=/ (A/^G+Z,, 
C 2 =/ [M,)G+ 9 (f (M,)), 

C,=/ {M,)G+g{f (Af,-i)). 
A chosen-plaintext attack can break G if g is a public linear function that has 
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a left inverse. For example, let M i =M i + 1 and M i+2 =M i+3 . Then 

Ci+i+Q+8— (/ M+i)+f (M i+2 ))G, and 
C i+2 +C i+3 =g {f (M i+l ))+g (f (M i+2 )). 

Thus (/ (A/i+2))=J" l (C.-+a+Cv+s). If the cryptanalyst could obtain * 

such distinct pairs, then G can be derived. However, if g is a secret nonlinear 
function or g has no left inverse then this attack does not work. 

On the other hand, if X { is fed back to / only (i.e., X< is not fed forward 
to g ), then the encryption sequence is given as follows. 

<7,-/ (W,)G, 

C 2 =/ {M 2 +X X )G, (X,=/ (Mi), 

C, =/ (M ( +X ( .,)G, (X,.,=/ (M ( . 1+ X ( . 2 )). 

To attack the scheme, the cryptanalyst may find the equivalent ciphertexts. 
For example, if C,=Cy, then / (M i +X i _ l )=f (Mj+Xj^) i.e., X^X,-. If / is a 
linear transformation, then C,- +1 +C y+I =/ {M i+l )G+f [M }+l )G. Thus, / G can 
be figured out by a known plaintext attack. 

If / is a nonlinear transformation, then this line of attack may not work. 
However, the cryptanalyst could collect k linearly independent codewords to 
construct a generator matrix (G) which is combinatorially equivalent to G. 
Let G=S~'G for any nonsingular matrix S of rank it. Since the number of 
nonsingular matrices of rank k is about 0.3X2* 2 , it is computationally infeasi- 
ble to estimate the matrix G used if k is large enough. Thus, the scheme 
appears secure. But, the cryptanalyst may be able to correct channel errors if 
t is small (e.g. t <z). Thus, it is important to feed X< forward to g in order to 
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construct an SECC system. As a result, the SECC scheme can be very secure 
if / is an invertible, nonlinear function and g is a nonlinear, one-way func- 
tion. It will be a challenge to design other lines of attack to break this 
scheme. 

4. Conclusion 

For the very first time, we introduce the concept of secret error-correcting 
codes in this paper. An SECC scheme combines data encoding with data 
encryption into one process and enables the system to correct channel errors 
as well as conceal information from unauthorized user simultaneously. The 
main purpose of this research is to construct SECC schemes to facilitate a 
reliable, secure and efficient digital transmission. 

We have proposed two SECC schemes to realize this new concept. The 
first one is a block encryption using Preparata-based nonlinear codes. In this 
scheme, each block can be enciphered and deciphered independently. 

The other SECC scheme is based on block chaining technique. This 
scheme provides not only data secrecy and data reliability but also data 
integrity due to the chaining feature. However, the decryption of each cipher- 
text cannot be carried out independently. The decoding error in one block 
requires retransmission of all blocks chained together. 

Although we have investigate various cryptanalytical attacks against 
these schemes, they are still not fully proven systems. Several problems relat- 
ing to the proposed schemes, such as the key generation and key management 
problems, still remain unsolved. Furthermore, there may exist other good 
techniques to realize the SECC concept. These indeed require further 
research. 



563 



References 



[Denning 82] Dorothy E. Denning, Cryptography and Data Security Addison 
Wesley, 1982. 

[Diffie 76] Whitfield Diffie and Martin E. Hellman, "New Directions in Cryp- 
tography," IEEE Trans, on Information Theory, Vol. IT-22, No. 6, pp. 
644-654, Nov. 1976 

[Lin 83] Shu Lin and Daniel J. Costello, Jr., Error Control Coding: Funda- 
mentals and Applications, Prentice-Hall, 1983. 

[MacWilliams 77] F.J. Mac Williams and J.JA. Sloane, The Theory of Error- 
Correcting Codes, North-Holland, Amsterdam, 1977. 

[McEliece 78] R.J. McEliece, "A Public-Key Cryptosystem Based on Alge- 
braic Coding Theory", DSN Progress Report, Jet Propulsion Labora- 
tory, CA., Jan. & Feb. 1978, pp. 42-44. 

[Meyer 82] Meyer C.H. and Matyas S.M., Cryptography: A New Dimension in 
Computer Data Security, John Wiley & Sons, Inc., 1982. 

[Peterson 72] W. Wesley Peterson and E.J. Weldon, Jr., Error-Correcting 
Codes, Second Edition, The MIT Press, 1972. 

[Preparata 68] F.P. Preparata, "A Class of Optimum Nonlinear Double- 
Error-Correcting Codes," Inform, and Control, 13, pp. 378-400, 1968. 

[Rao 85] T.R.N. Rao, "Cryptosystems Using Algebraic Codes," IEEE Inter- 
national Symp. on Info. Theory,, Brighton, England, June, 1985. 

[Rao 87] T.R.N. Rao and K.H. Nam "A Private-Key Algebraic-Coded Cryp- 
tosystem", Advances in Cryptology CRYPTO '86, editor A.M. Odlyzko, 
New York, Springier Verlag, pp. 35-48, 1987. 

[Shannon 48] C.E. Shannon. "A Mathematical Theory of Communication," 
Bell Syst. Tech. J., 27, pp. 379-423 (Part I), 623-656 (Part II), July 1948. 

[Struik 87] R. Struik and van Tilburg J., "The Rao-Nam Scheme is Insecure 
Against a Chosen-plaintext Attack," Advances in Cryptology CRYPTO 
: 87, pp. 445-457, 1987. 

[Wood 81] Charles C. Wood, "Future Application of Cryptography," Proc. of 
the 1981 Symposium on Security and Privacy, pp. 70-74, Apr. 1981. 

[Vasil'yev 62] Vasil'yev, Jr. L. "Nongroup Close-Packed Codes", Probl. 
Cybernet. (USSR) 8, pp. 337-339, 1962. 



The Detection of Cheaters in Threshold Schemes 



E. F. Brickell 
Sandia National Laboratories 
Albuquerque, NM 87185 



D. R. Stinson 
Department of Computer Science 
University of Manitoba 
Winnipeg, Manitoba R3T 2N2 Canada 



Abstract 



Informally, a (t, ^-threshold scheme is a way of distributing partial information 
(shadows) to w participants, so that any t of them can easily calculate a key (or 
secret), but no subset of fewer than t participants can determine the key. In this 
paper, we present an unconditionally secure threshold scheme in which any 
cheating participant can be detected and identified with high probability by any 
honest participant, even if the cheater is in coalition with other participants. We 
also give a construction that will detect with high probability a dealer who 
distributes inconsistent shadows (shares) to the honest participants. Our scheme 



possible keys, given the information they have. In our scheme, the key will be an 
element of GF(q) for some prime power q. Hence, q can be chosen large enough so 
that the amount of information obtained by any t - 1 participants is negligible. 

1. Introduction 

Informally, a (t, vf)-threshold scheme is a way of distributing partial information 
(shadows ) to w participants, so that any t of them can easily calculate a key (or 
secret), but no subset of fewer than t participants can determine the key. 
Threshold schemes are also known as secret sharing schemes. A perfect 
threshold scheme is one in which no subset of fewer than t participants can 
determine any partial information regarding the key. 



is not perfect; a set of t — 1 participants can rule out at most 1 + 
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Threshold schemes were first described independently by Blakley [2] and Shamir 
[7] in 1979. Since then, many constructions have been given for threshold 
schemes. More recently, various researchers have considered the problem of 
guarding against the presence of cheaters in threshold schemes. It is conceivable 
that any subset of the participants may attempt to cheat, that is, to deceive any of 
the other participants by lying about the shadows they possess. There is also the 
possibility that the person distributing the shadows (the dealer) may attempt to 
cheat. The dealer might distribute an inconsistent set of shadows, so that the key 
cannot be determined correctly, or so that different subsets of t participants would 
calculate different keys from the shadows they possess. If this is done without the 
knowledge or co-operation of any of the participants, we refer to this form of 
cheating as disruption . However, if this cheating is done in co-operation with 
one or more of the participants, we call it collusion. 

A threshold scheme is said to be unconditionally secure (against cheating) if the 
probability of cheating successfully is independent of the computational resources 
available to the cheaters. Under the assumption that the dealer is honest, several 
constructions have been given for threshold schemes which are unconditionally 
secure against cheating [3, 6, 8, 9]. We now briefly summarize the properties of 
these threshold schemes. 

As far as the authors are aware, the first researchers to address the problem of 
cheaters in threshold schemes were McEliece and Sarwate in [6]. They use an 
error-correcting code to construct a threshold scheme in which any group of t + 2e 
participants which includes at most e cheaters can correctly calculate the key. 

Tompa and Woll [9] proceed as follows. The dealer specifies a subset Kq of the set 
of possible keys K. A key will be accepted as authentic only if it is an element of 
Kq. If a set of t participants calculate the key to be an element of K \ Kq, then 
they realize that one of them is cheating. The probability of successful cheating is 
at most 1 - I Ko I / I Kl , even if t - 1 participants conspire to to cheat another 
participant. However, even though participants can detect when cheating has 
occurred, they cannot determine who is cheating. 

The construction of Simmons [8] is more general, in that it can be applied to most 
existing threshold schemes. This method detects cheating only if at least t + 1 
participants exchange their shadows. Define a set S of at least t shadows to be 
consistent if all t-subsets of S determine the same key. Then, a key is accepted as 
authentic only if there is a consistent subset of at least t + 1 shadows which 
determine it. If t + e participants exchange shadows and there are at most e — 1 
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cheaters among them, then they possess a consistent subset of at least t + 1 
shadows. Unfortunately, the only known method to determine the existence of a 
consistent set of t + 1 shadows is an exhaustive search. 

Finally, Chaum [3] has suggested the following approach. For each bit b to be 
communicated to the ith participant, the dealer chooses 2w - 2 large random 
numbers rj 0 and rji (1 < j £ w, j * i). For each j, rj 0 and r^ are given to participant 
j. The dealer gives to the ith participant the bit b and all rjb (1 < j < w, j * i). 
Then, rjj, is used to authenticate the bit b (as 0 or 1, respectively) to participant j. 
This procedure is used for every bit communicated to each participant. 

In the schemes discussed above, it is assumed that the dealer is honest. Also, the 
Tompa and Woll scheme and the Simmons construction require that the 
participants be able to simultaneously release their shadows, in order to ensure 
that no participant is able to obtain partial information about the shadows of the 
other participants before releasing his own shadow. Simultaneous release of 
shadows is not required in the Chaum scheme. 

Threshold schemes which provide protection against dealer disruption have been 
presented by Chor, Goldwasser, Micali and Awerbuch in [5] and by Benaloh in [1]. 
These schemes provide computational security only, since they rely on 
computational assumptions regarding certain encryption schemes. Chaum, 
Crepeau and Damgard [4] use threshold schemes as a building block in 
unconditionally secure multiparty protocols. They tolerate both dealer disruption 
and collusion, but require that less than one third of the participants cheat. 
Under these assumptions, they describe a scheme that is unconditionally secure 
and which allows the key to be determined correctly by the honest participants. 

The threshold scheme we present provides unconditional security and gives the 
honest participants the ability to identify cheaters, assuming the dealer is honest. 
Also, we do not require that the participants simultaneously release their 
shadows. The properties of our construction can be summarized as follows. 

1) The key is an element of GF(q), and each shadow is a t-dimensional 
vector over GF(q) (q will be some large prime power). 

2) Any participant who attempts to cheat will be identified by any honest 
participant with probability 1 - 1 / (q - 1). 
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3) Even if there is only one honest participant and the remaining w - 1 
participants form a coalition in order to deceive him, their probability 
of cheating successfully is only (w - 1 + 1 ) / (q - 1 ). 

4) The scheme is nearly perfect. A group of t - 1 participants can 

eliminate at most 1 + ^ W ^_ ^ ^ j possible keys, and can obtain no other 

partial information about the key. If q is large, this will cause no 
difficulty in practice. 

5) The scheme can also protect against dealer disruption, by using a "cut- 
and-choose" technique similar to that of [4]. 

2. The construction 

Our construction is a modification of Blakley's threshold scheme [2], which we now 
review briefly. Suppose the participants are denoted Aj, 1 < i < w, and the dealer 
is denoted by D. Let V be a t-dimensional vector space over GF(q), where q is 
some large prime power. First, D fixes a line [in V. This line is made known to 
all the participants. There are q possible keys, namely the q points on I. If D 
wants to distribute shadows corresponding to a key p, he first constructs a random 
(t - l)-dimensional subspace H that meets fin a point. Then, he constructs the 
hyperplane H p = H + p. (Note that H p n C- p.) Finally, he picks w random points 
on Hp, denoted sj (1 < i < w), such that the points in the set {p} u {sj: 1 < i < w} are 
in general position (that is, no j of them lie on a flat of dimension j - 2, if j < t). 
The point s; is the shadow that D gives to A;. 

Any t participants can uniquely determine the hyperplane H p , and then obtain p 
by calculating H p n [- p. However, a subset of t' (< t) participants know only that 
H p contains the flat F of dimension t' - 1 generated by the shadows they possess. 
For any p' on £ there is a hyperplane H p containing F and p'. Hence, they have no 
information as to the point p. Thus, the scheme is indeed a (t, w)-threshold 
scheme. 



568 




In order to guard against cheating, we modify the threshold scheme. D will 
distribute extra information to the participants, along with the shadows. For ease 
of exposition, we first discuss the case t = 2. In this case, H is a 1-dimensional 
subspace and the hyperplane H p is a line. D constructs w random 1-dimensional 
subspaces, denoted Hj (1 < i < w), each of which is distinct from H. We do not 
require that the subspaces Hj (1 <, i < w) be distinct. D gives to each Aj the w - 1 
parallel lines Hjj = Hj + Sj, 1 < i 2 w, i * j. These lines Hjj are called supershadows . 
Note that Hjj is given only to A;. 
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We must first show that knowledge of the supershadows does not enable any one 
participant to determine the key. Let's consider A^. He knows that S2 e H^2- 
This does give him some partial information, namely that the key p ^ Hj^ n £ 
For, if p = H12 n £ then p = S2, which is not allowed. Similarly, knows that p * 
Hii n £ for any i, 2 < i < w. As well, p * n ( where denotes the line 
through Si parallel to the H^'s. For, this would require that H p = Hn, but 
S2 £ Hji- Thus, Ai has ruled out w possibilities for p. However, the key, p, could 
be any point Po on /"other than these w points, since the line pqSi will intersect 
each Hn in a point. Each of these q - w possibilities for p is equally likely to 
occur. 

Hence, each participant can rule out w possibilities for the key, and knows that 
the key is equally likely to be one of the q — w remaining possibilities. Thus, the 
scheme is no longer perfect. However, if q is large relative to w, this will cause no 
difficulty in practice. (A variation of this scheme, described in Section 4, allows 
only one possible value to be ruled out for the key in the case t = 2.) 

Next, we consider the possibility that certain participants will cheat, by lying as to 
what shadows they possess. In the worst case, w - 1 participants, say A; 
(2 < i < w) will form a coalition in order to try to convince that the key is some 
value p' * p. We will assume that w > 3, so that the coalition can determine the 
line Hp and the key p before attempting to deceive A^ . Note that they can also 

calculate sj., since Si = H p n H21, for example. 

Suppose A2 tells A^ that his shadow is some point S2' rather than 82- A2 will not 
choose S2' to be any point on £ or any point on the line through s^ parallel to £ 
since A^ would then realize that A2 is lying. Also, A2 will not choose S2' to be a 
point on H p , since this would not deceive A^ as to the value of p. Hence, he will 
choose S2' to be one of the remaining q 2 - 3q + 2 points. For any such choice of S2', 
there is a unique line H^' joining S2' and S2. A-i will be deceived if and only if 
H 12 ' = H 12 . Since H 12 * H p , there are q - 1 possibilities for H 12 , all equally likely. 
Each of these q - 1 lines through s 2 contains q - 2 of the q 2 - 3q + 2 points 
mentioned above. Thus, the chance that A2 deceives ki is 1 / (q - 1). 
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If all the other Aj (2 < i < w) independently try to deceive in a similar fashion, 
the probability that at least one of them succeeds is 



Their best strategy is to conspire; if they ensure that no two of the lines Sj'sj are 
parallel, then A^ will be deceived by one of them with probability equal to 
(w - 1) / (q - 1). This will be a negligible quantity if q is large compared to w. 

If w = 2, then the analysis is slightly different. Suppose A2 attempts to deceive 
A]_. If A2 can obtain the value of si , then the arguments proceed as before, and A2 
can deceive A 1 with probability 1 / (q - 1). (This could happen if A 1 reveals to 
A 2 before A 2 reveals s 2 to A^ for example.) If A 2 cannot obtain the value of si , 
then his probability of deceiving A x is decreased to 1 / q, since he might choose s 2 ' 
to be a point on H p . 

Let's now consider the general case t > 3. Recall that H is a (t - 1 )-dimensional 
subspace and H p is a hyperplane. D constructs w random (t - l)-dimensional 
subspaces, denoted Hj (1 < i < w). We require that the intersection of H with j - 1 
of these Hj's is a subspace of dimension t - j, if j < t. (In the case t = 2, this 
condition reduces to the previous requirement that the Hi's (1 < i < w) be distinct 
from H.) The w - 1 supershadows D gives to each Aj are the parallel hyperplanes 
Hji = Hj + SJ, 1 <i < w, i* j. 
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One way to select the Hj's is as follows. First, choose w subspaces of H, denoted Kj 
(1 < i < w), each of dimension t - 2, in general position. Then select w points not in 
H, denoted qj (1 < i < w). These points need not be distinct. Finally, define Hj to 
be the subspace spanned by Kj and q; (1 < i < w). 

First, we show that knowledge of the supershadows does not enable any t - 1 
participants to determine the key. Suppose that participants Aj, 1 < i <, t- 1, 
attempt to determine the key. They know that H p contains F, the (t - 2)- 
dimensional flat generated by s^, ... , s t _ ±. They know also that a shadow Sj 
(t < j < w) occurs on the line ^ which is the intersection of the Hjj, 1 < i < t - 1. 
(Since ^ meets H p in a point, it has dimension one and is indeed a line.) Notice 
that any two of these lines ^ are parallel, since the hyperplanes Hjj are parallel 
(for any fixed i). 

We claim that for any j, 1 2 j < w, ^ and F generate the whole n-dimensional space 

(consequently, ^ o F = 0). This is seen as follows. Suppose ^ and F are contained 

in some hyperplane H', for some j, t < j < w. Since Sj e Zj and si , ... , St _ i e F, 

H' = Hp. Then Zj £ H p n H X j n H 2 j n ... n H (t _ 1} j . It follows that H n H x n H 2 n 

... n H(t _ i) has dimension at least one, which is ruled out by the way in which the 
hyperplanes Hj were chosen. 

Next, we observe that Fnf=0, It is impossible that Cq H p since H p n C= {p} and 
F c Hp. Also, F and /"cannot intersect in a point, for this point would have to be p, 
which would contradict the requirement that the shadows are in general position 
with respect to p. 

It is now easy to verify that there is a unique point p' on C such that the 
hyperplane determined by F and p' is parallel to each Zj, t <, j < w. Then, the key p 
* p'. For, if p = p', then H p n ^ = 0; but Sj e H p n /|, a contradiction. This enables 
the participants A j (1 < i < t - 1 ) to rule out one possible value for the key. 
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There are in fact other points that can be ruled out as possible values for the key. 
We saw earlier that when t = 2, the w — 1 points tc\ Cj (t < j < w) can also be 
eliminated as possible values for p. In general, the number of possible keys that 

can be ruled out (other than the point p') is 

We can see this as follows. Let j i , ... , jt _ i be distinct integers such that t < j j < w 
(1 < i < t - 1), and let U be the flat spanned by the L (1 < i < t - 1). Since the lines 
^ are all parallel, U has dimension at most t - 1 . The flat T spanned by the points 
Sj. (1 < i < t - 1) has dimension t - 2, and is contained in U n H p . As well, /j n H p = 
{sj}, for any j, t S j < w. It follows that the dimension of U is exactly t - 1 and T = 
UnH p . 

Next, we observe that it is impossible that U. Since Cr\ H p = {p} , this would 
force p € T. But then the t — 1 shadows s^, ... , sj t _ ^ and p would then be 

contained in the flat T having dimension at most t - 2. Hence, either Cr\ U is 
empty, or tr\ U is a point, say r. In the latter case, r cannot be the key, since (as 
before) the t — 1 shadows Sj^,, ... , Sj j and r would then be contained in the flat T. 

Hence, it is possible that t — 1 participants can rule out as many as 1 + 
possible values for the key. 

Example: Suppose we have a (3, 5)-threshold scheme over GF(q), for some large 
prime q. Suppose Cis the line (6, 0, 0) {6 e GF(q)), s x =(1,1,2) and s 2 =(1,1, 6). 
Thus, F is the line (1,1, 6) (6 e GF(q)). Suppose also that £5 is the line (1 + a, 3 - a, 
2) ( a e GF(q)), C 4 is the line (1 + a, -a, 1), and is the line (8 + a, -a, 3) (these three 
lines are parallel, having direction vector (1,-1, 0)). A± and A 2 would analyze the 
situation as follows. Suppose the key is p = (xq, 0, 0). Then, H p is the plane 
x + y(xQ - 1) = x 0 . This plane intersects £j, C A , and ig if and only if xq * 2. Thus, 
(2, 0, 0) is ruled out as the key. Three other points can also be ruled out. For 
example, £j and ^ generate the plane U having equation x + y — 3z = -2. U meets C 
in the point (—2, 0, 0). If -2 were the key, then H p would have equation x — 3y = 
-2. Hence, it would follow that s 3 = (5 / 2, 3 / 2, 2) and s 4 = (1 / 4, 3 / 4, 1) (all 
arithmetic being done in GF(q)). Then s 3 , s 4> and p are all collinear, a 
contradiction. In a similar manner, —4 is ruled out by consideration of £j and ^ , 
and -5 / 2 is eliminated by consideration of ( 4 and ^. 



w- t + 1 
t-1 



w- t + 1 
t-1 
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The last topic we examine in this section is the probability of successful cheating. 
Suppose w - 1 participants, say Aj (2 < i < w) form a coalition in order to try to 
convince that the key is some value p' * p. Their best strategy is to leave t — 2 
of their shadows unchanged, and lie about the remaining w - 1 + 1 shadows. The 
probability that A± will detect that any particular shadow is a forgery is 1 / (q - 1), 
as in the t = 2 case. The chance that A± is fooled by at least one of the w - t + 1 
altered shadows is at most (w - 1 + 1) / (q - 1). 

3. A cut-and-choose procedure to eliminate dealer disruption 

We can eliminate the possibility of the dealer disruption by using a cut-and- 
choose procedure, as in [4] and [1]. Let K be some security parameter (say 
K = 50). Suppose H p is the hyperplane ax T = c, where the superscript "T" denotes 
transpose. The following protocol will be repeated K times. 

1. D generates a random non-singular matrix M and a random t- tuple b. D then 
computes Sj' = SjMT + b and gives sj' to Aj, 1 < i < w. (So, the Sj' are obtained 
from the Sj by a random affine transformation.) 

2. Depending on a coin flip f, D performs a) or b). 

a) if f = "heads", then D reveals M and b, and each A; verifies that Sj' = 
sjMT + b. 

b) if f = "tails", then D computes a' = aM- 1 and c' = c + a'b T , and reveals a' 
and c'. Then, each Aj verifies that a'(Sj' ) T = c'. 

If the dealer can answer both challenges a) and b), then it must be the case that 
c = asj T , 1 < i < w. That is, the shadows all lie on a hyperplane. If the dealer 
attempts to cheat, he can answer only one of the two challenges in any given 
round of the protocol. Hence, the probability of the dealer fooling any given set oft 
honest participants after K rounds is 2 _K . 

It is also easy to see that no information is revealed to the participants by this 
protocol. If operation 2a) is performed in any round of the protocol, then the 
participants learn only the affine transformation used in that round. This is of no 
use in determining the key. If 2b) is performed, then the participants obtain the 
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hyperplane a'x T = c'. This tells them nothing about H p) since any hyperplane can 
be mapped to any other hyperplane by means of an affine transformation. 

Notice that we require the existence of a broadcast channel in step 2) of this 
protocol. This is a channel in which it is guaranteed that every participant 
receives the same information from the dealer (i.e. the values of M and b in 2a); or 
a' and c' in 2b)). If a broadcast channel is not used, then the dealer could attempt 
to cheat during this protocol by giving different information to different 
participants. 

We can also do a cut-and-choose procedure on the supershadows. Here, the object 
is to convince each participant Aj that Sj e Hy, i * j, without revealing Sj. Suppose 
the hyperplane Hy is given by the equation a^x = by, 1 < i, j < w, i * j. The 
following protocol will be repeated K times. 

1. For 1 < j < w, D generates a random t-tuple sj', and gives sj' to Aj. D then 
computes by' = aj-sj ' and gives by' to Aj, 1 < i, j < w, i * j. 

2. Depending on a coin flip f, D performs a) or b). 

a) if f = "heads", then D reveals all sj', 1 < j < w, and each Aj verifies that 
by' = aj-sj'. 

b) iff = "tails", then D reveals all sj + Sj', 1 < j < w, and each Aj verifies that 
aj-(Sj + Sj') = by + by', 1 < j < w. 

The analysis of dealer disruption is similar to the previous situation. If the dealer 
can answer both challenges a) and b) in any given round of the protocol, then it 
must be the case that aj-Sj = by, 1 < i, j < w, i * j. That is, the shadow Sj lies on the 
hyperplane aj-x = by. As before, the probability of the dealer fooling any t honest 
participants in all K rounds is 2 _K . 

Next, we consider whether any information about the shadows is released by this 
protocol. As before, if operation 2a) is performed in any round of the protocol, then 
clearly no information about the shadow is released. If operation 2b) is done, then 
Aj learns all values Sj + Sj', but this tells him nothing about any Sj. 

Finally, observe that we require a broadcast channel in step 2), as in the previous 
protocol. 
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Although the protocol protects against dealer disruption, we cannot guard against 
collusion of the dealer and any participant. For suppose D colludes with 
participant Aj. D can tell Ai all the supershadows Hj 1( and all the shadows Sj, 
2 < i < w. No collusion can be detected in the cut-and-choose procedure, since Ai 
never reveals any information. Then, suppose a group of t participants including 
Ai, say {A^: 1 < i < t}, attempt to determine the key. Aj can compute the 
intersection ^ of the t - 1 hyperplanes , 2 < i < t. Note that ^ is a line. If Aj 
claims that his shadow is any point on /j. other than s^, then the other t - 1 
participants will not detect that he is cheating, and they will calculate an incorrect 
key. In this way, A^ can make the other t - 1 participants believe the key is any 
value he desires. 

4. Remarks 

There are many variations of this threshold scheme. For example, the threshold 
scheme could be implemented in a projective space rather than in an affine space. 
In the case t = 2, less partial information is revealed in a projective setting. D 
would fix a line Tin a projective plane P. As before the key p would be a point on C 
D also picks a random line H intersecting fin p, and distribute points on H \ {p} as 
the shadows. Supershadows are obtained as follows. For each participant Aj, D 

picks a point qj s A (p) (these points need not be distinct). The supershadow Hjj 
is the line sjq;. With supershadows defined in this way, each participant Aj can 
only rule out the point q; as the key (note that Aj can compute qj as the 
intersection of any two of the supershadows he possesses). 

It is an interesting open question to determine if there is a perfect threshold 
scheme satisfying all the other properties of our scheme (i.e. one in which no 
possible keys can be ruled out). 

Another question is the amount of computation required. The dealer must verify 
certain conditions, including that the shadows are in general position. This is not 
difficult for small t and w, but could require a lot of time if t and w are large. Is 
there a scheme which is still computationally efficient for large t and w? (Note 
that the Shamir scheme [7] is computationally efficient; but it is not clear how to 
modify it to detect cheating.) 

Yet another issue is the amount of (secret) information that needs to be 
communicated, in the form of shadows and supershadows. We ask if a scheme can 
be constructed which requires less information to be distributed. 
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Finally, we ask if it is possible to construct a threshold scheme that provides 
unconditional security against collusion of the dealer and one or more 
participants. 
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Added in proof 

After writing this paper, we discovered that Tal Rabin was working independently 
on a related problem. Her results were presented at CRYPTO '88, in a paper 
entitled "Robust sharing of secrets when the dealer is honest or cheating". The 
techniques she employs can also be used to solve the problem we consider in our 
paper. Our approach requires that less secret information be communicated, but 
is slightly less efficient computationally. 
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On the Power of 1-way Functions (Abstract) 
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The earliest definition of 1-way function is due to Berman [Ber77], who considered 
polynomial-time computable, length-increasing, 1-1 functions that do not have a polynomial- 
time computable inverses. Recently, more powerful notions are considered, e.g., polynomial- 
time computable, length-increasing, 1-1 functions / such that the probability that a BPP 
algorithm can compute x from f(x) for a randomly selected x is superpolynomially small 
[CYa82]. Whatever definition is used, these functions are necessarily easy invert on some 
inputs: 

Proposition 1 If f is a polynomial-time computable, length-increasing, 1-1 function, and 
if p is a polynomial, then there is a polynomial time algorithm that for sufficiently large n 
inverts f on at least p(n) strings of length less than n. Therefore, the range of every such 
function must contain a polynomial-time computable subset of arbitrarily large polynomial 
census. 

We ask whether or not Proposition 1 is optimal. 

Definition 2 A polynomial-time computable, length-increasing 1-1 function f is an annihi- 
lating function if every polynomial time decidable subset of the range of f is sparse. 

Polynomial-time computations can do little to invert an annihilating function. The defini- 
tion, although originally intended as a tool to overthrow the Berman-Hartmanis isomorphism 
conjecture [BH77, KMR89], can be motivated on a purely cryptographic basis: To defeat a 
traffic analysis, two sites will send invalid messages to maintain a constant level of virtual 
traffic, irrespective of the actual traffic. If an eavesdropper could distinguish valid from in- 
valid messages, this strategm would fail. The point behind the definition of an annihilating 
function is that a polynomial-time algorithm will not permit an eavesdropper to pick out 
enough valid messages upon which to base a traffic analysis. 

We would like to know whether or not annihilating functions exist. It probably doesn't 
make sense to attack this question directly, as annihilating functions are 1-way functions in at 
least the Grollman-Selman sense, and so their existence would entail P ^ UP and therefore 
P ^ NP. As a surrogate, we obtain: 
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Theorem 3 With probability 1 relative to a random oracle, annihilating functions exist. 

The instant reaction to Theorem 3 is to ask whether or not it gives us any meaningful 
insight into the unrelativized case. In general, we do not believe that it is reasonable to base 
one's intuitions about unrelativized computational world upon relativized worlds. After all, 
unrestricted relativizations can be used to produce conflicting "worlds." 

Random relativizations, on the other hand, cannot conflict with one another. The "mea- 
sure 1" relativized theory is consistent and well-defined. More importantly, the successful 
use of pseudo-random number generators in lieu of truly random numbers in probabilistic 
factoring algorithms makes it seem plausible that computational complexity theory relative 
to a random oracle is similar to unrelativized computation complexity theory. This intu- 
ition was formalized by Bennett and Gill [BG81] as the random oracle hypothesis. Although 
the formal hypothesis was refuted [Kur83], the informal hypothesis is still compelling, and 
remains a basis for assigning credibility to random relativizations. 

This brings us to a crucial point: do we believe that annihilating functions exist? We are 
divided ourselves on this question, and await further evidence. 
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Interactive protocols [GMR] and Arthur-Merlin games [B] have attracted consid- 
erable interest since their introduction a few years ago. These notions make it (prob- 
ably) possible to extend the concept of what is "efficiently" provable to include, for 
instance, graph non-isomorphism [GMW]. In this short note, we assume that the 
reader is familiar with interactive protocols, Arthur-Merlin games, and the notion of 
zero-knowledge [GMR]. 

In the previous paragraph, we put quotes around "efficiently" because it is only 
the Verifier that is required to be efficient (i.e.: polynomial time). On the other hand, 
both interactive protocols and Arthur-Merlin games allow the Prover (or ' ' Merlin " ) to 
be infinitely powerful. In fact, not only is the Prover allowed to be powerful but she 
is actually required to be so in many of the most interesting theorems concerning these 
notions [B,GS,F, etc.]. For instance, in the graph non-isomorphism protocol, the 
Prover must be capable of deciding graph isomorphism. 

An important pair of results state that MA C AM = IPfyfc ] [B,GS], but again this 
requires the Prover to have considerable computing power even if the original MA 
protocol is feasible] From a practical point of view, this is silly in the sense that a 
polynomial-time Prover can run an MA protocol if only given a polynomial piece of 
advice, whereas it is not at all clear that she could run the corresponding AM protocol 
without additional power and/or information. (This is because the Prover must be able 
to satisfy exponentially many challenges in an AM setting.) 
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For this reason, it is our opinion that MA is the natural extension of NP to ran- 
domness. This opinion is not new: it was already voiced in [BC]. However, here we 
claim that this is not merely an opinion but actually a theorem, albeit a rather trivial 
one. To achieve this goal, of course, we must be more precise on what we mean by 
" Practical BP ": it is the class of languages that can be handled when both the Prover 
and the Verifier are restricted to being polynomial time. 

This definition raises an important issue: if Prover and Verifier have similar com- 
puting abilities (and algorithmic knowledge), how did the Prover manage to obtain a 
hard enough proof to be of interest to the Verifier? (It is obviously uninteresting if 
the Verifier can figure out the proof by himself.) One possible answer is that the 
Prover was lucky enough or that she worked hard enough to find it (this would 
presumably be the case for an eventual proof of FLT). A much more interesting 
answer, at least in cryptographic settings, is that the Prover obtained the statement of 
her claim together with its proof, as a result of running a probabilistic polynomial-time 
process (starting from some randomly chosen trap-door information). For instance, if 
the Prover wants a statement of the general form "the integer n is the product of 
exacdy two distinct primes", she can simply choose the primes at random and multi- 
ply them. She then knows the factors of the result even though she is not better than 
the Verifier at factoring large integers. Read [AABFH] for a very nice theory on the 
efficient generation of solved hard instances of problems in NP. 

Whatever is the origin of the information that allows the polynomial-time Prover 
to run her share of the interactive protocol, that information is necessarily polynomial 
in length. It is therefore reasonable to assert that "Practical IP" is included in 
"Polynomial-time BP with polynomial advice for the Prover" (PBP/Poly), where of 
course "polynomial-time" restricts both the Prover and the Verifier. (We are not wil- 
ling to claim that "Practical BP" = PBP/Poly because in our view the really practical 
case for cryptography is when the advice comes from trap-door information rather than 
hard labour or luck.) Therefore, in order to prove the assertion given in the title of 
this paper, it suffices to prove that PBP/Poly C MA (in fact, these classes are equal, but 
the reverse inclusion is irrelevant for our purpose). 

Consider a language L in PBP/Poly, some x in L, and the polynomial-length 
advice a that the (polynomial-time) Prover could use through an DP to convince the 
Verifier that x is in L . The fact that L belongs to MA is obvious : given only x , an 
all-powerful Prover (Merlin) can figure out this advice a and simply give it to the 
Verifier (Arthur). The Verifier can then (in polynomial time) simulate the 
polynomial-time Prover and her interaction with him. This complete the proof that 
"Practical B?"CMA. An open question is whether the inclusion is strict: in particu- 
lar, is it possible in general to generate solved hard instances for every hard languages 
in MA ? The reader is referred once more to [AABFH] for preliminary results con- 
cerning NP. 
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An interesting situation occurs if one is interested in zero-knowledge protocols 
[GMR]. It is shown in [BCC] (under cryptographic assumptions) that MA protocols 
can be carried out in zero-knowledge by a polynomial-time Prover provided she is 
given the corresponding piece of advice. This is in sharp contrast with the result of 
[GMW] in which an MA protocol must first be transformed into an AM protocol 
before it can be carried out in zero-knowledge, hence even a practical MA protocol 
requires a powerful Prover to be carried out in zero-knowledge if the technique of 
[GMW] is used. (This situation was already pointed out in [BCC].) In conclusion, 
[BCC] allows us to claim that 

"Practical IP" = "Practical zero-knowledge", 

which is the "practical" version of "everything provable is provable in zero- 
knowledge" [IY.BGGHKMR]. 
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Abstract 

In this note we first develop a new computationally zero- knowledge interac- 
tive proof system of knowledge, which then is modified into an authentication 
scheme with secret key exchange for subsequent conventional encryption. 
Implemented on a standard 32-bit chip or similar, the whole protocol, which 
involves mutual identification of two users, exchange of a random common se- 
cret key and verification of certificates for the public keys (RSA, 512 bits) takes 
less than 0.7 seconds. 

1 Introduction 

Recently, some very effective zero- knowledge identification-schemes have been con- 
structed, such as Fiat-Shamir, [FS], Micali-Shamir, [MS], and Guillou-Quisquater, 
[GQ]. However, they only provide authentication, not confidentiality. Consequently, 
if one aims at implementing a hybrid system based on public keys to provide user 
authentication and secret key exchange, these fast schemes are of no help. 

The protocol, we are going to describe, is designed for software implementation 
on a standard chip such as Intel 80386 or Motorola 68030 or perhaps on a DSP-chip 
with the extra requirement that the whole communication setup is based on 512 bits 
RSA-modulus and takes less than 2 seconds. 

2 The Basic Authentication Scheme 

We first describe an example of a more general construction of a computationally 
zero-knowledge interactive proof system of knowledge based on a public key system. 
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In the example we use RSA as the public key system, but the method would work in 
general under some reasonably weak assumptions. 

For proof technical reasons we need two independent general public key pairs 
(one-way functions with trapdoor) h = pq, e a public exponent prime to 4>{n), and 
n = pq, e a public exponent prime to 4>{n). (h, e) and (n, e) can be generated when 
the system is set up. Then p, q, p and q can be deleted and are therefore assumed 
unknown to all users. Thus the prover, P and the verifier, V, receive as auxiliary 
input n and n, which they must trust to be generated correctly. This is similar to the 
non-interactive zero-knowledge model where P and V share a bit-string which they 
must trust to be random [BFM]. 

In the final version of this paper, we remove the need for n. This requires a 
more complicated argument to prove the zero- knowledge property, but simplifies the 
protocol (see Section 4). 

Moreover each prover computes his own public-key pair n = pq, e public expo- 
nent, d secret (ed = 1 mod <f>(n)). The "knowledge" he is going to prove to possess is 
that he can provide arbitrary signatures m d mod n. For convenience, we assume that 
k - log n = log h = log h. 

Protocol: 

1. V chooses arbitrary bit-strings Q, R of length |logn, subject to (Q \\ R) < n, 
where (Q || R) is the number represented by the concatenation, R in the least 
significant half. 

He also chooses 5,5' of length \\ogh, subject to (5 || R),(S' \\ Q) < h. 
He computes (Q \\ R) e mod n, (5 || R) e mod h and (5' || Q) c mod n and sends 
these numbers to P. 

2. P recovers (Q || R), chooses T, T', arbitrary bit strings of length | log n, subject 
to (T || R),(T || Q) < n, computes (T || Rf mod n and (T \\ Qf mod n and 
sends these numbers to V . 

3. V sends 5, 5' to P. 

4. Using what he received in step 2) and 3), P checks the values for (5 || R) e mod h 
and (5' || Q) e mod n that he received in step 1). 

If OK, he sends T, V to V. Otherwise, he halts. 

5. V uses T, V to check the value for (T || i?) 5 mod h and (T \\ QY mod n he 
received in step 2). 

If OK, he accepts. Otherwise he rejects. 

We now informally sketch how to prove the correctness and security of this protocol. 
We will say that f(x) is pseudorandom given g(x) (where x € {0, 1}*) if no polynomial 
time probabilistic algorithm can distinguish between pairs of the form (g(x),f(x)) and 
(^( x )i r )i where r is chosen uniformly from Im(f). 



585 



It has been shown earlier, [ACGS], that the least significant logfc bits of x are 
pseudorandom given x & mod n. Following Micali and Schnorr [MS] we stretch this a 
little to get 

Assumption*: 

The least significant --k bits of x are pseudorandom given x e mod n if the factors of 
n are unknown. 

When we speak of a proof system of knowledge, we mean that the following must 
hold for an arbitrary prover P": if P" completes the protocol successfully with non- 
negligible probability, then there exists a probabilistic polynomial time algorithm, 
which with the help of P" finds x from x e mod n with non-negligible probability. 

This is a little twist of the notion defined by Fiat, Feige and Shamir in [FFS]: 
a prover does not prove his possession of a certain bit-string, but his ability to do 
something. 

Theorem 1. 

Under * the protocol is a zero-knowledge proof system of knowledge. 
Proof: 

Zero-knowledge: 

Given an arbitrary verifier, V", we describe a simulator, My. We may assume that 
the algorithm used to generate h is public. Therefore My can generate n with known 
factorization and correct distribution and give this number to V* as input. We may 
now proceed as follows: 

1. Receive (Q || R) e mod n, (5 || Rf mod h and (S' \\ Qf mod n <from V*. 

2. Recover (Q || R), and check against (Q || R) e mod n. If OK, compute and send 
(T || R) s mod h and (T" || Q) e mod n as P would have done. Otherwise send 
X s mod n, Y e mod n for random X, Y. 

Now observe: 

• If V* sends correct messages in step 1), we can complete the protocol with 
exactly the right distribution of messages. 

• If this is not the case, P would always stop in step 3), and the random X* mod n, 
F e mod n cannot be distinguished from the "real" (T || R)* mod n, (T' |j Qf mod 
n - by *. 

^From this, it is clear that the simulation works. 
Proof-system: 

Completeness is obvious. As for soundness assume some P* completes the protocol 
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with non- negligible probability. We now describe an algorithm Mp- which will find 
x from x e mod n with non-negligible probability. 

Choose n with known factorization and give this as input to P*. Suppose we are 
given x e mod n, x unknown. Then choose y, z < n and send x e mod n, y e mod n and 
z e mod n to P*. 

Receive (T || Rf mod n and (T' || Qf mod n i,from P", recover (Q || P) = x. 
By *, P* cannot distinguish the random y e mod n, z 5 mod fi ifrom the real (5 || R) e mod 
n and (5' || Q) e mod n, hence the recovered (Q || i?) will be correct with essentially 
the same (i.e. non-negligible) probability as in an actual conversation with V. □ 

In a formal proof of this fact, what we get is a result saying that P* finds x with the 
same probability when talking to V as when talking to M P - or the combined system 
(P*, Mp-) can invert y e mod h. But this is an empty statement if M P - already knows 
(p, q). This is why we cannot use h — h. 

3 Combining with Key-Exchange 

For this, we can use exactly the same protocol as before, except that V will choose 
first K < n and compute (Q || R) = K" mod n. The protocol runs as before, but P 
can recover K as K = {(Q \\ PCf)^ 2 mod n. We can now use the least significant |fc 
bits of K as secret key. 

Theorem 2. 

The secret key exchanged as above is pseudorandom given the conversation between 
P and V, assuming *. 

Proof: 

By *, the key is pseudorandom given (Q || R), and given {Q || R), the rest of the 
conversation can be simulated exactly. □ 



4 Practical Implementation 

As mentioned earlier, it is possible to redesign the protocol so that it does not use n. 
The resulting version is given below. By a somewhat complicated argument, given in 
the final version of this paper, also this version can be proved to be a zero-knowledge 
proof system. It is an open problem, whether the protocol remains correct if we use 
the tempting simplification of putting n = n. 

Our protocol is intended for use in a public network, where users wish to be 
convinced about each others identities before communicating secretly. Part of this 
goal is often achieved by letting some center, C, provide signatures (certificates) on 
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public keys. It would be natural to let C provide h too. This does not constitute any 
serious problems: as mentioned, the factorization of h can simply be forgotten after 
setting up the system. 

Thus the practical version of the protocol will be as follows: 

1. V chooses K < n randomly and computes Q and R as (Q \\ R) = K e mod n. 
He then computes (Q \\ R) e mod n and sends this number to P. 

2. P recovers K, Q and R. As before P chooses T, T, computes (T || R) e mod n 
and (T' || Q) s mod n and sends these numbers to V. 

3. V sends Q, R to P. 

4. P checks the values for Q and R. 

If OK, he sends T, T" to V. Otherwise, he halts. 

5. V checks the value for (T j| R)* mod n and (T" || Qf mod n he received in step 
2). 

If OK, he accepts. Otherwise he rejects. 

For efficiency, it is advisable to choose e and e small, i.e. 3. Then the only 
really time consuming part is finding x d2 mod n from x. Note that the version with key 
exchange does not require more time, if e is small. P can precompute d 2 mod <f>(n), 
and the protocol will then only require 2 extra exponentiations to the e'th power, 
which is negligible. With a little care, it is possible to use e = 2, which will be even 
more efficient. 

Finally note, that A can prove himself to B while B is proving himself to A. In 
particular we can ensure that "decryption" of (Q \\ R) e takes place simultaneosly for 
A and B. Thus this will not take more time than the basic version of the protocol. 

It will be natural to obtain the final key as the xor of the two produced keys, since 
this will ensure that the key is known to precisely A and- B, and no one else. 

The basic operations needed for this protocol have been implemented on a stan- 
dard 16 MHz Intel 80386 processor. The results of this show that the whole protocol, 
including verification of public-key certificates can be completed in less than 0.7 sec- 
onds. 
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